Cisco Catalyst SD-WAN Manager CVE-2026-20245 exploitation
Summary
CVE-2026-20245 is an authenticated privilege-escalation vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. Cisco says the flaw can let a local authenticated attacker with netadmin privileges upload a crafted file and execute commands as root on an affected manager.
Cisco PSIRT became aware of exploitation in June 2026. Cisco ties viable access to valid netadmin credentials or prior exploitation of CVE-2026-20182 or CVE-2026-20127, and says it has observed limited cases where exploitation resulted in configuration changes pushed to edge devices. Cisco had not released a direct software fix for CVE-2026-20245 at advisory version 1.2 and said there were no workarounds.
Tags
- ops
- operations
- Cisco
- Catalyst SD-WAN Manager
- SD-WAN
- vManage
- CVE-2026-20245
- CVE-2026-20182
- CVE-2026-20127
- active exploitation
- privilege escalation
- command injection
- edge appliance
- incident response
Why this matters
- SD-WAN managers sit on a high-impact control plane: compromise can affect centralized orchestration and configuration pushed to edge devices.
- The bug is not internet-preauth by itself, but Cisco explicitly links exploitation prerequisites to valid
netadminaccess or earlier SD-WAN Manager flaws. - Cisco's public remediation language emphasizes evidence preservation before upgrade because applying a software update alone may not resolve compromise if the system was already altered.
- There was no direct fixed release or workaround for CVE-2026-20245 at publication time, so exposure management depends on validating access paths, preserving logs, and following Cisco TAC remediation for confirmed compromises.
Operational characteristics
- Affected component: Cisco Catalyst SD-WAN Manager / formerly SD-WAN vManage CLI.
- Affected deployment types: Cisco says the issue affects Catalyst SD-WAN Manager regardless of device configuration across on-prem, Cisco SD-WAN Cloud-Pro, Cisco-managed SD-WAN Cloud, and SD-WAN for Government / FedRAMP deployments.
- Exploit primitive: authenticated command injection through a crafted file uploaded to the affected system, resulting in root-level command execution.
- Required privileges: Cisco says exploitation requires
netadminprivileges on the affected system, obtained through valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127; Cisco says it is not aware of successful exploitation by other methods. - Observed impact: Cisco observed limited cases where exploitation resulted in configuration changes pushed to edge devices.
- Fix status: at advisory version 1.2, Cisco said it planned to address the issue in a future release, had not released software updates for CVE-2026-20245, and had no workaround.
- Source attribution: Cisco credits Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan of Mandiant for reporting the vulnerability.
Defender heuristics
- Treat any internet-exposed Catalyst SD-WAN Manager or manager with exposed ports as a priority review target, especially when prior CVE-2026-20182 / CVE-2026-20127 exposure is plausible.
- Preserve evidence before disruptive remediation: Cisco recommends running
request admin-techfrom each control component in the SD-WAN deployment before upgrading, and retaining relevant logs before moving to fixed releases. - Audit
/var/log/scripts.logfor Cisco's example command paths, then compare them against expected administrative activity because Cisco notes these commands can also be legitimate: vconfd_script_upload_tenant_list.sh -cli path ...vconfd_script_upload_vsmart_serial_numbers.sh -cli path ...vconfd_script_upload_chassis_number_file.sh -cli path ...- Investigate unexpected SD-WAN template, tenant-list, vSmart serial-number, chassis-number, and edge-device configuration changes around the exposure window.
- Review
netadminaccounts, recent authentication, API / CLI access paths, source IPs, and any credential-reset or MFA anomalies tied to SD-WAN Manager administration. - If Cisco indicators or unauthorized edge-device changes are present, treat the manager as compromised rather than merely vulnerable; preserve
admin-techbundles and contact Cisco TAC for environment-specific remediation.
Related pages
- PAN-OS GlobalProtect CVE-2026-0257 exploitation
- ConnectWise ScreenConnect exploitation wave
- KnowledgeDeliver CVE-2026-5426 ViewState exploitation
Sources
- Cisco advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx
- The Hacker News: https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-manager-cve-2026.html