Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available
Cisco has warned that a critical security flaw affecting the Catalyst SD-WAN manager has come under active exploitation.
Vulnerability, followed by CVE-2026-20245it holds a CVSS score of 7.8 out of 10.0. It affects the following types of use –
- On-Prem Shipping
- Cisco SD-WAN Cloud-Pro
- Cisco SD-WAN Cloud (Cisco Managed)
- Cisco SD-WAN for Government (FedRAMP)
“A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authorized local attacker to execute arbitrary commands as root by providing a crafted file on an affected system,” Cisco said in an advisory.
The network security company said the vulnerability is the result of insufficient authentication of user input, which an attacker can exploit by uploading a crafted file to an affected system. This, in turn, would allow an attacker to perform a command injection attack and elevate his privileges as the root user.
“To exploit this vulnerability, an attacker must have netadmin privileges on the affected system,” Cisco added. “This would require valid credentials or an exploit for CVE-2026-20182 or CVE-2026-20127. Cisco cannot be successfully exploited in other ways.”
CVE-2026-20182 (CVSS score: 10.0) was disclosed last month by Rapid7, describing it as an authentication bypass that could allow unauthorized, remote attackers to gain administrative privileges on affected systems. It is also tested to be the same as CVE-2026-20127, another vulnerability that affects the same component.
Both vulnerabilities have been exploited in the wild as zero-days, with a set of threat operations called UAT-8616 linked to the CVE-2026-20127 exploit since 2023.
In its advisory issued Thursday, Cisco said it has seen limited cases where the CVE-2026-20245 exploit led to configuration changes being pushed to edge devices. Credit to Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan for discovering and reporting the new vulnerability. It is not known who made the latest exploit attempts.
There are currently no patches or mitigations available for CVE-2026-20245. Customers are recommended to update their SD-WAN software to ensure they apply the fix released for CVE-2026-20182 on May 14, 2026.
Cisco also warned that systems exposed to the Internet are at high risk of compromise. To check for indicators of compromise (IoCs), users are advised to check the “/var/log/scripts.log” file for the entries below –
Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0
Jun 5 13:06:39 Manager vScript: vSmart upload serial numbers: /usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh -cli path /home/admin/vsmart_serial_numbers_safe.csv
Jun 5 13:08:47 Validator vScript: ZTP upload chassis numbers: /usr/bin/vconfd_script_upload_chassis_number_file.sh -cli path /home/admin/chassis_numbers_safe.csvCVE-2026-20245 is the seventh vulnerability affecting Cisco SD-WAN to be marked as active this year alone after CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-2026-20128, CVE-2026-20128, CVE-2026-20182, CVE-2026-20127 CVE-2022-20775.
The disclosure comes days after Cisco addressed another critical security flaw in Unified Communications Manager (CVE-2026-20230, CVSS score: 8.6), where it said proof-of-concept exploit code is public. There is no evidence that the vulnerability has come under active exploitation.
