Follow 
Cisco has disclosed a seventh SD-WAN zero-day exploited in 2026, tracked as CVE-2026-20245. The flaw affects the command-line interface of Cisco Catalyst SD-WAN Manager and can allow an authenticated remote attacker with netadmin privileges to execute arbitrary commands as root by uploading a crafted file. Cisco says exploitation has already been observed in limited cases, including incidents where configuration changes were pushed to edge devices.
The risk is amplified by the access requirements. Cisco says the attacker must already have netadmin privileges, which can come from stolen credentials or from chaining previously disclosed SD-WAN flaws such as CVE-2026-20182 or CVE-2026-20127. According to Cisco’s disclosure as summarized by Help Net Security and SecurityWeek, the issue affects all Cisco Catalyst SD-WAN deployment types, including on-prem, Cloud-Pro, Cisco Managed Cloud, and FedRAMP environments.
CVE-2026-20245 analysis
For CVE-2026-20245 analysis, the key weakness is insufficient validation of user-supplied input in the SD-WAN Manager CLI. Cisco’s public description says an authenticated attacker can upload a crafted file and trigger command injection, ultimately elevating privileges to root on the affected system. SecurityWeek adds that Cisco PSIRT learned about exploitation in June 2026, which suggests the disclosure was accelerated because the bug was already being abused in the wild.
The most important details for CVE-2026-20245 are that this is not a remote unauthenticated bug by itself, and that the exploit path appears closely tied to prior SD-WAN compromise activity. Cisco is not aware of successful exploitation by any method other than obtaining the required privileged access first, which is why defenders should treat the issue as part of a broader SD-WAN intrusion chain rather than as a standalone initial-access vector.
At the time of disclosure, the cited sources did not point to a public CVE-2026-20245 PoC, but Cisco did confirm active exploitation and said Mandiant reported the flaw. In practical terms, the attacker’s CVE-2026-20245 payload is a crafted file uploaded through the CLI workflow to trigger command injection and root-level execution, not a conventional malware dropper delivered from outside the appliance.
From an operational perspective, CVE-2026-20245 affects some of the most sensitive systems in an SD-WAN deployment because SD-WAN Manager sits at the management plane. Cisco said observed exploitation resulted in configuration changes pushed to edge devices, which means successful abuse can extend beyond the management node itself and alter the behavior of downstream network infrastructure.
CVE-2026-20245 Mitigation
There was no patch and no workaround available at disclosure, so CVE-2026-20245 mitigation is centered on hardening, evidence preservation, and compromise review. Cisco’s guidance, as quoted by Help Net Security, is to collect admin-tech data from each control component before any upgrade activity, then upgrade at the earliest opportunity and verify the configuration of edge devices. That advice matters because software updates alone may not fully resolve the situation if the system has already been compromised.
Cisco has also published CVE-2026-20245 IOCs in the form of specific log guidance. Help Net Security says customers should review those logs and, if compromise is confirmed, work directly with Cisco TAC for targeted remediation steps. SecurityWeek likewise notes that Cisco has made indicators available while it prepares a future Catalyst SD-WAN Manager release containing the fix.
For defenders trying to detect CVE-2026-20245, the most practical approach is to review SD-WAN Manager appliances for signs of unauthorized root-level activity, suspicious file uploads, and unexpected configuration pushes to edge devices. Because Cisco explicitly tied the prerequisite access to compromised credentials or earlier SD-WAN bugs, organizations should also validate that previously disclosed authentication and privilege-escalation flaws are fully remediated across the estate.
More broadly, CVE-2026-20245 detection should be treated as incident response rather than routine patch management. If logs indicate abuse, Cisco warns that simply installing the future software fix will not by itself secure the environment, and customers should engage TAC for recovery guidance tailored to the confirmed compromise.
FAQ
What is CVE-2026-20245 and how does it work?
It is a command injection vulnerability in the CLI of Cisco Catalyst SD-WAN Manager. Cisco says an attacker with netadmin privileges can upload a crafted file to an affected system and execute arbitrary commands as root.
When was CVE-2026-20245 first discovered?
The private discovery date has not been publicly disclosed in the cited reporting. What is public is that Cisco disclosed the flaw on June 5, 2026, said PSIRT learned about exploitation in June, and credited Mandiant with reporting the vulnerability.
What is the impact of CVE-2026-20245 on systems?
Successful exploitation can allow arbitrary command execution as root on Cisco Catalyst SD-WAN Manager. Cisco also said it observed cases where exploitation led to configuration changes being pushed to edge devices, raising the potential for wider network impact.
Can CVE-2026-20245 still affect me in 2026?
Yes. Any affected Cisco Catalyst SD-WAN Manager deployment can still be exposed in 2026 if it remains unpatched and an attacker can obtain the required netadmin privileges, whether through stolen credentials or chained SD-WAN vulnerabilities. At disclosure, Cisco had not yet released a fix.
How can I protect myself from CVE-2026-20245?
Preserve evidence with the admin-tech collection process, review Cisco’s published log indicators, verify edge-device configurations, remediate any linked SD-WAN access flaws, and apply Cisco’s future fixed release as soon as it becomes available. If compromise is confirmed, Cisco advises working with TAC because patching alone may not fully remediate the system.
