High

Command Injection in Cisco Catalyst SD-WAN Manager CLI

IdentifiersCVE-2026-20245CWE-77

CVE-2026-20245 is a command injection vulnerability in the CLI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). The flaw is caused by insufficient validation of user-supplied input during processing of an uploaded file. An authenticated local attacker can exploit the issue by uploading a crafted file to the affected system, causing the CLI processing path to execute attacker-controlled commands. Successful exploitation results in arbitrary command execution with root privileges on the SD-WAN Manager host. Cisco stated the issue affects all Catalyst SD-WAN Manager deployment models, and observed exploitation in limited cases led to configuration changes being pushed to edge devices.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to execute arbitrary commands as root on the affected Cisco Catalyst SD-WAN Manager system. This enables full local privilege escalation from netadmin to root and can support follow-on actions such as unauthorized configuration changes, persistence, manipulation of SD-WAN orchestration behavior, and potentially broader compromise of managed edge infrastructure. Cisco observed limited real-world exploitation resulting in configuration changes pushed to edge devices.

Mitigation

If you can’t patch tonight, do this now.

No specific workaround is described in the provided content beyond upgrading to Cisco-fixed software and verifying edge-device configuration. Cisco additionally advised reviewing /var/log/scripts.log for suspicious entries related to crafted file uploads, collecting forensic data with the request admin-tech command, and contacting Cisco TAC if compromise is suspected.

Remediation

Patch, then assume compromise.

Cisco recommends upgrading Cisco Catalyst SD-WAN Manager to the fixed software documented in the Cisco advisory published on May 14, 2026, and verifying the configuration of edge devices. The provided content also indicates administrators should review logs and device configurations after upgrading because patching alone may not remediate systems that were already compromised. If indicators of compromise are present, Cisco advises engaging Cisco TAC and collecting forensic data such as an admin-tech bundle before making changes.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

26 SOURCESView more in app

cyber security newsNews

Jun 5, 2026

Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root User

A high-severity command injection and privilege escalation vulnerability in Cisco Catalyst SD-WAN Manager caused by improper input validation and insufficient sanitization of uploaded file input, allowing an authenticated attacker to execute arbitrary commands as root.

security online infoNews

Jun 5, 2026

Cisco SD-WAN Vulnerability Exploited in the Wild

A command injection vulnerability in the CLI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) that allows an authenticated local attacker with netadmin privileges to execute arbitrary commands as root via a crafted file.

bleeping computerNews

Jun 5, 2026

Cisco warns of unpatched SD-WAN zero-day exploited in attacks

A high-severity unpatched zero-day in Cisco Catalyst SD-WAN Manager that allows local attackers with low privileges to upload a crafted file, achieve command injection, and escalate privileges to root.

help net securityNews

Jun 5, 2026

Cisco SD-WAN 0-day exploited, no patch available (CVE-2026-20245) - Help Net Security

A zero-day privilege escalation vulnerability in the command-line interface of Cisco Catalyst SD-WAN Manager caused by insufficient validation of user-supplied input, allowing authenticated local attackers to execute arbitrary commands as root.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity22

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-20245

NVD

nvd.nist.gov/vuln/detail/CVE-2026-20245

MITRE CWE · CWE-77

cwe.mitre.org

sec.cloudapps.cisco.com

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx

sec.cloudapps.cisco.com

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW