Key Takeaways
- Cisco has disclosed a high‑severity command‑injection flaw (CVE‑2026-20245, CVSS 7.8) affecting Catalyst SD‑WAN Manager across on‑prem, Cloud‑Pro, Cloud (Cisco Managed), and Government (FedRAMP) deployments.
- Exploitation requires an authenticated attacker with netadmin privileges; such access can be obtained directly via valid credentials or indirectly by chaining the flaw with two authentication‑bypass vulnerabilities (CVE‑2026-20182 and CVE‑2026-20127), both of which have been actively exploited in the wild.
- Successful abuse lets the attacker run arbitrary commands as root, potentially pushing malicious configuration changes to edge SD‑WAN devices.
- No patch or mitigation is currently available for CVE‑2026-20245; Cisco advises customers to apply the fixes released for CVE‑2026-20182 (May 14, 2026) and to harden internet‑exposed systems.
- Indicators of compromise (IoCs) can be found in the
/var/log/scripts.logfile, where suspicious script‑upload entries reveal the use of crafted CSV files to trigger the vulnerability. - CVE‑2026-20245 marks the seventh active‑exploitation SD‑WAN flaw reported by Cisco in 2026, underscoring a persistent threat landscape for the platform.
Overview of the Advisory
On June 6, 2026, Cisco issued a security advisory warning that a newly discovered vulnerability in the CLI of Cisco Catalyst SD‑WAN Manager (formerly known as SD‑WAN vManage) is being actively exploited in the wild. The flaw, assigned CVE‑2026-20245, carries a CVSS base score of 7.8, reflecting a high‑severity impact that could allow an attacker with appropriate privileges to gain root‑level command execution on the affected system. The advisory covers all major deployment models of the product, including on‑premises installations, Cisco SD‑WAN Cloud‑Pro, Cisco SD‑WAN Cloud (Cisco Managed), and Cisco SD‑WAN for Government (FedRAMP). Cisco emphasized that while the vulnerability is serious, successful exploitation hinges on the attacker first obtaining netadmin privileges on the target system.
Technical Details of CVE‑2026-20245
The root cause of CVE‑2026-20245 is insufficient validation of user‑supplied input within the SD‑WAN Manager’s command‑line interface. An attacker who can upload a specially crafted file to the system can manipulate the parsing logic, leading to a command‑injection condition. When the malicious file is processed, the underlying script executes with the privileges of the vmanage service account, which operates as root. Consequently, the attacker gains the ability to run arbitrary commands, modify system files, create new user accounts, or alter SD‑WAN policies and configurations. Cisco noted that the exploitation chain observed in the wild has resulted in configuration pushes to edge devices, potentially disrupting traffic or opening backdoors for further lateral movement.
Privilege Requirements and Attack Chain
To leverage CVE‑2026-20245, an attacker must first possess netadmin privileges on the Catalyst SD‑WAN Manager. Cisco clarified that this level of access can be achieved in two ways: (1) by using legitimate credentials belonging to a netadmin‑role user, or (2) by chaining the flaw with one of two previously disclosed authentication‑bypass vulnerabilities—CVE‑2026-20182 or CVE‑2026-20127. Both of those CVEs enable unauthenticated, remote attackers to escalate to administrative privileges without needing any valid login information. Since CVE‑2026-20182 and CVE‑2026-20127 have already been observed as zero‑day exploits in the wild (with threat activity cluster UAT‑8616 linked to the latter as far back as 2023), attackers can effectively bypass authentication and then pivot to the command‑injection flaw to achieve full root control.
Related Vulnerabilities and Exploitation Context
CVE‑2026-20245 is not an isolated incident; it is the seventh Cisco SD‑WAN‑related vulnerability identified as actively exploited during 2026. The preceding flaws include CVE‑2026-20182 (authentication bypass, CVSS 10.0), CVE‑2026-20127 (another authentication bypass), CVE‑2026-20122, CVE‑2026-20128, CVE‑2026-20133, and the older CVE‑2022-20775. The rapid succession of high‑impact issues highlights a persistent attack surface within the SD‑WAN Manager component, particularly around its CLI and file‑upload mechanisms. Cisco’s advisory notes that the same threat actors leveraging the authentication‑bypass bugs are likely behind the current exploitation of CVE‑2026-20245, although the exact identity of the latest perpetrators remains unknown.
Mitigation Guidance and Patch Status
At the time of the advisory, Cisco reported that no direct patch or mitigation exists for CVE‑2026-20245. Instead, the vendor recommends a defensive‑in‑depth approach: customers should ensure they have applied the fixes released for CVE‑2026-20182 on May 14, 2026, which closes the authentication‑bypass vector that attackers often use to gain the requisite netadmin privileges. Additionally, Cisco advises organizations to restrict internet‑exposed SD‑WAN Manager interfaces, enforce strong authentication and least‑privilege principles for netadmin accounts, and monitor systems for signs of compromise. Hardening the host operating system, limiting file‑upload capabilities to trusted directories, and employing application‑control solutions can also reduce the likelihood of successful command injection.
Indicators of Compromise (IoCs)
To assist defenders in detecting possible exploitation, Cisco provided specific log entries to search for in the /var/log/scripts.log file. Example IoCs include lines such as:
Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0
Jun 5 13:06:39 Manager vScript: vSmart upload serial numbers: /usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh -cli path /home/admin/vsmart_serial_numbers_safe.csv
Jun 5 13:08:47 Validator vScript: ZTP upload chassis numbers: /usr/bin/vconfd_script_upload_chassis_number_file.sh -cli path /home/admin/chassis_numbers_safe.csv
These entries show the invocation of legitimate upload scripts with a -cli path argument pointing to user‑supplied CSV files located in /home/admin/. The presence of unfamiliar or unexpected file names (e.g., malicious.csv) in such logs may indicate an attempt to exploit CVE‑2026-20245. Security teams are encouraged to correlate these log findings with other telemetry—such as process creation events, privileged command executions, or unexpected configuration changes on edge SD‑WAN devices—to build a comprehensive detection strategy.
Broader Implications and Recommendations
The active exploitation of CVE‑2026-20245 underscores the importance of maintaining rigorous patch management and privileged‑access controls for critical network‑management platforms. Even when a direct fix is unavailable for a specific vulnerability, addressing prerequisite flaws (like the authentication‑bypass CVEs) can significantly raise the attack barrier. Organizations should also consider implementing network segmentation to isolate SD‑WAN Manager from untrusted networks, deploying multi‑factor authentication for administrative accounts, and conducting regular penetration tests focused on CLI and file‑upload functionalities. By staying vigilant and applying the layered defenses outlined by Cisco, defenders can mitigate the risk posed by this and similar high‑severity flaws in the SD‑WAN ecosystem.