Cisco Catalyst SD-WAN Manager CVE-2026-20245 / CVE-2026-20262 exploitation
Summary
CVE-2026-20245 is an authenticated privilege-escalation vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. Cisco says the flaw can let a local authenticated attacker with netadmin privileges upload a crafted file and execute commands as root on an affected manager.
Cisco PSIRT became aware of CVE-2026-20245 exploitation in June 2026. Cisco ties viable access to valid netadmin credentials or prior exploitation of CVE-2026-20182 or CVE-2026-20127, and says it has observed limited cases where exploitation resulted in configuration changes pushed to edge devices. Cisco had not released a direct software fix for CVE-2026-20245 at advisory version 1.2 and said there were no workarounds.
On June 15, 2026, Cisco and CISA also surfaced CVE-2026-20262, an authenticated web-UI arbitrary-file-write vulnerability that can overwrite operating-system files and later elevate to root when an attacker has valid write access. Treat the two issues as related SD-WAN Manager control-plane triage items even though the exploit paths differ.
Tags
- ops
- operations
- Cisco
- Catalyst SD-WAN Manager
- SD-WAN
- vManage
- CVE-2026-20245
- CVE-2026-20262
- CVE-2026-20182
- CVE-2026-20127
- active exploitation
- privilege escalation
- command injection
- edge appliance
- incident response
Why this matters
- SD-WAN managers sit on a high-impact control plane: compromise can affect centralized orchestration and configuration pushed to edge devices.
- The bug is not internet-preauth by itself, but Cisco explicitly links exploitation prerequisites to valid
netadminaccess or earlier SD-WAN Manager flaws. - Cisco's public remediation language emphasizes evidence preservation before upgrade because applying a software update alone may not resolve compromise if the system was already altered.
- There was no direct fixed release or workaround for CVE-2026-20245 at publication time, so exposure management depends on validating access paths, preserving logs, and following Cisco TAC remediation for confirmed compromises.
Operational characteristics
- Affected component: Cisco Catalyst SD-WAN Manager / formerly SD-WAN vManage CLI.
- Affected deployment types: Cisco says the issue affects Catalyst SD-WAN Manager regardless of device configuration across on-prem, Cisco SD-WAN Cloud-Pro, Cisco-managed SD-WAN Cloud, and SD-WAN for Government / FedRAMP deployments.
- Exploit primitive: authenticated command injection through a crafted file uploaded to the affected system, resulting in root-level command execution.
- Required privileges: Cisco says exploitation requires
netadminprivileges on the affected system, obtained through valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127; Cisco says it is not aware of successful exploitation by other methods. - Observed impact: Cisco observed limited cases where exploitation resulted in configuration changes pushed to edge devices.
- Fix status: at advisory version 1.2, Cisco said it planned to address the issue in a future release, had not released software updates for CVE-2026-20245, and had no workaround.
- Source attribution: Cisco credits Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan of Mandiant for reporting the vulnerability.
June 15 companion: CVE-2026-20262 arbitrary file write
On June 15, 2026, Cisco also published CVE-2026-20262, an authenticated remote arbitrary-file-write vulnerability in the Catalyst SD-WAN Manager web UI. CISA added it to KEV the same day.
Cisco describes the primitive as improper validation of user-supplied input during a file-upload process. An authenticated attacker with at least write access can send a crafted HTTP request to an affected API endpoint to create or overwrite any file on the underlying operating system; Cisco warns the file can later be used to elevate to root. Cisco released software updates for CVE-2026-20262 and says there are no workarounds.
Operationally, CVE-2026-20262 belongs beside CVE-2026-20245 because both require valid access but can turn SD-WAN Manager control-plane access into root-level host impact. Cisco's public indicators include suspicious WAR upload paths such as:
uploaded Remote Access Anyconnect profile file: ../../../../var/lib/wildfly/standalone/deployments/suspicious.war to vManage
Defender heuristics
- Treat any internet-exposed Catalyst SD-WAN Manager or manager with exposed ports as a priority review target, especially when prior CVE-2026-20182 / CVE-2026-20127 exposure is plausible or any user with write access may be compromised.
- Preserve evidence before disruptive remediation: Cisco recommends running
request admin-techfrom each control component in the SD-WAN deployment before upgrading, and retaining relevant logs before moving to fixed releases. - For CVE-2026-20245, audit
/var/log/scripts.logfor Cisco's example command paths, then compare them against expected administrative activity because Cisco notes these commands can also be legitimate: vconfd_script_upload_tenant_list.sh -cli path ...vconfd_script_upload_vsmart_serial_numbers.sh -cli path ...vconfd_script_upload_chassis_number_file.sh -cli path ...- For CVE-2026-20262, audit
/var/log/nms/vmanage-server.logand/var/log/nms/vmanage-appserver.logfor suspicious Remote Access AnyConnect profile uploads, path traversal sequences such as../, unexpected.wardeployment paths, and follow-on application-server deployment messages. - Investigate unexpected SD-WAN template, tenant-list, vSmart serial-number, chassis-number, AnyConnect profile, WAR deployment, and edge-device configuration changes around the exposure window.
- Review
netadminand write-capable accounts, recent authentication, API / CLI access paths, source IPs, and any credential-reset or MFA anomalies tied to SD-WAN Manager administration. - If Cisco indicators or unauthorized edge-device changes are present, treat the manager as compromised rather than merely vulnerable; preserve
admin-techbundles and contact Cisco TAC for environment-specific remediation.
Related pages
- PAN-OS GlobalProtect CVE-2026-0257 exploitation
- ConnectWise ScreenConnect exploitation wave
- KnowledgeDeliver CVE-2026-5426 ViewState exploitation
Sources
- Cisco CVE-2026-20245 advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx
- Cisco CVE-2026-20262 advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ
- CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- The Hacker News: https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-manager-cve-2026.html