Cisco Catalyst SD-WAN Manager Vulnerability CVE-2026-20245 Under Active Exploitation
Cisco has recently disclosed a high-severity security vulnerability, identified as CVE-2026-20245, affecting its Catalyst SD-WAN Manager. This flaw has been actively exploited, posing significant risks to various deployment types, including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).
Understanding CVE-2026-20245
CVE-2026-20245 carries a Common Vulnerability Scoring System (CVSS) score of 7.8 out of 10, indicating a high level of severity. The vulnerability resides in the Command Line Interface (CLI) of Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vManage. It allows an authenticated, local attacker with netadmin privileges to execute arbitrary commands as the root user by supplying a crafted file to the affected system.
The root cause of this vulnerability is insufficient validation of user-supplied input. An attacker can exploit this flaw by uploading a specially crafted file, leading to command injection attacks and privilege escalation to root. To successfully exploit this vulnerability, the attacker must possess netadmin privileges, which can be obtained through valid credentials or by exploiting other vulnerabilities such as CVE-2026-20182 or CVE-2026-20127. Cisco has noted that there is no evidence of successful exploitation by other methods.
Contextualizing CVE-2026-20245
This vulnerability is part of a series of security issues affecting Cisco’s SD-WAN solutions. Notably, CVE-2026-20182, disclosed in May 2026, is an authentication bypass flaw with a CVSS score of 10.0. It allows unauthenticated, remote attackers to gain administrative privileges on vulnerable systems. Similarly, CVE-2026-20127, another authentication bypass vulnerability, has been exploited by a threat actor known as UAT-8616 since at least 2023.
The exploitation of these vulnerabilities underscores the persistent threats targeting Cisco’s SD-WAN infrastructure. The active exploitation of CVE-2026-20245 has led to configuration changes being pushed to edge devices, indicating a sophisticated level of attack. Cisco has credited researchers from Google Mandiant—Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan—for discovering and reporting this vulnerability. The identity of the actors behind the recent exploitation efforts remains unknown.
Current Status and Recommendations
As of now, there are no patches or mitigations available for CVE-2026-20245. Cisco advises customers to upgrade their SD-WAN software to ensure that fixes for CVE-2026-20182, released on May 14, 2026, are applied. Systems exposed to the internet are at a heightened risk of compromise.
To detect potential indicators of compromise (IoCs), administrators should examine the /var/log/scripts.log file for specific entries, such as:
– Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0
– Jun 5 13:06:39 Manager vScript: vSmart upload serial numbers: /usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh -cli path /home/admin/vsmart_serial_numbers_safe.csv
– Jun 5 13:08:47 Validator vScript: ZTP upload chassis numbers: /usr/bin/vconfd_script_upload_chassis_number_file.sh -cli path /home/admin/chassis_numbers_safe.csv
The discovery of CVE-2026-20245 marks the seventh vulnerability in Cisco’s SD-WAN solutions to be actively exploited in 2026. Previous vulnerabilities include CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, and CVE-2022-20775.
Broader Implications
The recurrence of vulnerabilities in Cisco’s SD-WAN products highlights the critical need for robust security measures in network infrastructure. Organizations relying on these solutions must remain vigilant, regularly update their systems, and monitor for unusual activities. The active exploitation of these vulnerabilities by sophisticated threat actors underscores the importance of proactive security practices and timely application of patches when they become available.
Conclusion
The active exploitation of CVE-2026-20245 in Cisco’s Catalyst SD-WAN Manager serves as a stark reminder of the evolving threat landscape targeting network infrastructures. Organizations must prioritize security, stay informed about emerging vulnerabilities, and implement recommended measures to safeguard their systems against potential attacks.
