Cisco SD-WAN Manager zero-day exploited to execute commands as root

Cisco has warned that a newly disclosed Catalyst SD-WAN Manager vulnerability is being exploited in limited attacks, allowing attackers with netadmin-level access to execute arbitrary commands as root.

The flaw, tracked as CVE-2026-20245, affects the command-line interface of Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vManage. Cisco assigned the issue a CVSS 3.1 score of 7.8, placing it in the high-severity range.

According to Cisco’s advisory, an attacker can exploit the vulnerability by uploading a crafted file to an affected system. Successful exploitation can lead to command injection and privilege escalation to the root user.

Why this Cisco SD-WAN vulnerability matters

Cisco Catalyst SD-WAN Manager controls and monitors enterprise SD-WAN deployments. A compromised manager can give attackers a path to influence edge device configurations, routing behavior, and management-plane operations.

The vulnerability does not allow direct unauthenticated exploitation on its own. Cisco says an attacker needs netadmin privileges, which means the attacker must already have valid access or first gain access through another flaw.

That condition lowers the immediate exposure, but it does not remove the risk. Cisco has already seen limited cases where exploitation of CVE-2026-20245 resulted in configuration changes being pushed to SD-WAN edge devices.

Vulnerability	Product	Impact	Required access
CVE-2026-20245	Cisco Catalyst SD-WAN Manager	Command execution as root	Netadmin privileges
CVE-2026-20182	Cisco Catalyst SD-WAN Controller and Manager	Authentication bypass and administrative access	No authentication required
CVE-2026-20127	Cisco Catalyst SD-WAN Controller and Manager	Authentication bypass and high-privilege access	No authentication required

Attackers may chain it with older SD-WAN flaws

The main concern is exploit chaining. Cisco says an attacker may reach the required access level by using valid credentials or by exploiting previously disclosed Catalyst SD-WAN flaws such as CVE-2026-20182 or CVE-2026-20127.

Cisco Talos has tracked active exploitation of CVE-2026-20182, an authentication bypass vulnerability affecting Catalyst SD-WAN Controller and Manager. Talos linked that activity to a sophisticated threat actor it tracks as UAT-8616.

That earlier activity matters because an authentication bypass can provide the access needed for follow-on actions. Once attackers gain administrative access, CVE-2026-20245 can potentially turn that access into root-level command execution on the SD-WAN Manager system.

No dedicated patch is available yet

Cisco has not yet released a dedicated software update for CVE-2026-20245. The company says fixes will arrive in a future Catalyst SD-WAN Manager release, and it has not provided a workaround.

For now, Cisco recommends that customers upgrade to the fixed software documented in the May 14 advisory for CVE-2026-20182. Cisco also advises customers to verify the configuration of their SD-WAN edge devices after upgrading.

BleepingComputer reported that Cisco PSIRT learned about the exploitation in June after Mandiant reported the flaw. Mandiant has not publicly shared details about the attacks.

Affected deployments and risk factors

CVE-2026-20245 affects Cisco Catalyst SD-WAN Manager deployments across supported deployment models, including on-premises, Cisco-managed cloud, Cloud-Pro, and government environments.

Systems with management access exposed to the internet face higher risk, especially if administrators have not already applied fixed versions for older SD-WAN flaws. Even though this new issue requires privileges, exposed management interfaces can increase the chance of credential theft or chained exploitation.

The risk also grows in environments where SD-WAN management accounts use weak access controls, lack phishing-resistant MFA, or rely on shared administrative credentials. Those gaps can turn a high-severity privilege escalation bug into a broader network compromise.

How admins can check for possible compromise

Cisco recommends that administrators review logs for signs that attackers attempted to abuse uploaded files. The company points customers to the scripts.log file under /var/log/ for suspicious entries.

One example involves unexpected execution of the vconfd_script_upload_tenant_list.sh script with unusual file paths. These entries can appear during legitimate operations, so administrators should compare them against known maintenance windows and authorized changes.

The Cisco security advisory also recommends collecting forensic data before upgrading. Cisco tells customers to run the request admin-tech command on each SD-WAN control component before applying updates so evidence does not get overwritten.

• Review /var/log/scripts.log for suspicious script execution.
• Check edge device configurations for unexpected changes.
• Collect admin-tech bundles before upgrades.
• Restrict management access to trusted networks and administrators.
• Review netadmin accounts for unusual activity.
• Open a Cisco TAC case if indicators of compromise appear.

Why configuration review is essential

Upgrading affected systems does not automatically reverse changes already pushed to SD-WAN edge devices. If attackers modified configurations before remediation, those changes may remain after the vulnerable software is addressed.

This is why Cisco tells customers to verify edge device configurations after upgrading. Administrators should review routing changes, device templates, control connections, SSH keys, user accounts, and recent configuration pushes.

BleepingComputer’s report notes that Catalyst SD-WAN Manager can help administrators monitor and manage large SD-WAN environments from a central dashboard. That central role makes compromise of the manager especially sensitive.

Cisco’s SD-WAN security problems continue

CVE-2026-20245 follows several exploited Cisco Catalyst SD-WAN vulnerabilities disclosed earlier in 2026. Those earlier flaws included authentication bypass and webshell-related activity against unpatched systems.

Talos previously reported that attackers exploited CVE-2026-20182 and other SD-WAN vulnerabilities to perform post-compromise activity, including configuration changes and attempts to escalate privileges.

The May advisory for CVE-2026-20182 remains important because Cisco currently points customers to that fixed software while it prepares a future release for CVE-2026-20245.

What organizations should do now

Organizations running Cisco Catalyst SD-WAN Manager should treat this as an active exploitation issue, not a routine advisory. The most urgent step is to limit who can reach the SD-WAN management plane and confirm that older SD-WAN fixes are already installed.

Security teams should also review privileged accounts, investigate unexpected configuration pushes, and preserve forensic evidence before making system changes. Where possible, management interfaces should sit behind strict access controls, trusted administrative networks, and MFA.

Because Cisco has seen attackers use the flaw to push configuration changes to edge devices, defenders should not stop at software updates. They should confirm that the SD-WAN fabric still matches intended routing, policy, and access settings.

FAQ