Root command injection in Cisco Catalyst SD-WAN CLI via crafted file upload

This repository is a small standalone Python proof-of-concept exploit for CVE-2026-20245, accompanied by a descriptive README. The codebase contains one executable script, CVE-2026-20245.py, and one documentation file. The Python script uses the requests library to authenticate to a Cisco Catalyst SD-WAN web interface over HTTPS, obtain an XSRF token, generate a malicious CSV, and upload it to several candidate /dataservice endpoints in an attempt to trigger authenticated command injection and privilege escalation from netadmin to root. Exploit flow: the script accepts target, username, password, optional command, and port arguments; posts credentials to /j_security_check; checks for a JSESSIONID cookie; fetches /dataservice/client/token; then uploads a crafted CSV file to multiple upload endpoints until one appears successful. The injected payload is placed in the serial_number field and uses shell substitution syntax such as $( command ). Although multiple injection styles are defined in craft_payload(), only the first style is actually embedded in the CSV returned by the function. Capabilities: authenticated access validation, session handling, XSRF token retrieval, malicious file generation, multi-endpoint upload attempts, and attacker-controlled command execution if the target is vulnerable. The script does not include post-exploitation automation, output retrieval, persistence, or a reverse shell payload by default; it simply reports likely success based on HTTP responses. Because it carries a customizable command parameter but no robust result collection, it is best classified as an operational PoC rather than a fully weaponized exploit. Notable implementation details: TLS certificate verification is disabled; success is inferred from HTTP status codes 200/201/202 or non-error responses; the exploit assumes valid administrative credentials and reachable HTTPS management endpoints. The README expands on the claimed impact, affected Cisco SD-WAN components, and defensive guidance, but the actual exploit logic is entirely contained in the single Python file.

Repository contains a single Python exploit script, a README, a sample expected-output file, and a license. The main file `CVE-2026-20245-CWE116-PoC.py` is a standalone authenticated exploit for alleged Cisco Catalyst SD-WAN privilege escalation via command injection in CSV upload handling. The script structure is typical of an operational PoC: it initializes a requests session, authenticates to the appliance via `/j_security_check`, retrieves an XSRF token from `/dataservice/client/token`, crafts malicious CSV content with multiple shell-injection syntaxes, uploads the file to dataservice upload endpoints, and then triggers processing to achieve root command execution. The code indicates support for version checking, command execution, cleanup, and optional persistence installation. The default post-exploitation command is reconnaissance (`id && uname -a && whoami`), but the operator can supply arbitrary shell commands; the README also shows a reverse-shell example. Fingerprintable target-side artifacts include `/var/log/scripts.log`, `/home/admin/*.csv`, `/tmp/*.csv`, and `/tmp/exploit`. Overall, this is not a framework module but a direct Python PoC/exploit intended for authenticated remote exploitation over HTTPS against vulnerable Cisco SD-WAN management components.