Cisco Warns of Seventh SD-WAN Zero-Day Exploited in 2026
Cisco has disclosed CVE-2026-20245, a zero-day vulnerability in its SD-WAN Manager allowing root command execution, marking the seventh such exploit this year.
Cisco has alerted its customers to a newly identified zero-day vulnerability affecting its Catalyst SD-WAN Manager, designated as CVE-2026-20245. This marks the seventh instance in 2026 where a zero-day flaw in Cisco's SD-WAN products has been actively exploited in the wild, underscoring a persistent and significant threat landscape for the company's networking infrastructure.
The vulnerability resides within the command-line interface (CLI) of the Cisco Catalyst SD-WAN Manager. It allows an authenticated local attacker to execute arbitrary commands with root privileges by uploading specially crafted files to the affected system. Cisco's advisory explains that the flaw stems from insufficient validation of user-supplied input, a common vector for command injection attacks.
To successfully exploit CVE-2026-20245, an attacker must first possess 'netadmin' privileges on the targeted system. This level of access can be obtained either through compromised credentials or by exploiting other previously disclosed SD-WAN vulnerabilities. Cisco has indicated that it has observed limited cases where the exploitation of this bug resulted in unauthorized configuration changes being pushed to edge devices, but is not aware of exploitation through other methods.
Notably, the 'netadmin' privileges required for exploitation could be gained by leveraging other vulnerabilities, such as CVE-2026-20182 or CVE-2026-20127. CVE-2026-20182, an authentication bypass flaw, was fixed by Cisco in mid-May after its in-the-wild exploitation was detected. The threat actor identified as UAT-8616 was previously linked to exploiting CVE-2026-20127 to gain initial unauthorized access to SD-WAN systems.
This latest vulnerability, CVE-2026-20245, was reported to Cisco by Mandiant. Cisco's Product Security Incident Response Team (PSIRT) became aware of the exploitation in June, suggesting a rapid disclosure process following the discovery. While specific details of the attacks exploiting this particular zero-day have not yet been fully shared, Cisco has provided indicators of compromise (IoCs) to aid in detection and defense.
As of the advisory's release, Cisco has not yet provided a patch for CVE-2026-20245. The company stated that fixes will be included in a future release of the Catalyst SD-WAN Manager. Currently, no workarounds are available for customers to mitigate this specific vulnerability, leaving them reliant on detecting and blocking exploitation attempts.
This incident adds to a growing list of zero-day exploits targeting Cisco's SD-WAN solutions in 2026. Previous vulnerabilities whose exploitation came to light this year include CVE-2026-20128, CVE-2026-20122, and CVE-2026-20133. An older vulnerability, CVE-2022-20775, was also flagged as being exploited in the wild during 2026, indicating a sustained focus by threat actors on this product line.
The repeated exploitation of zero-day vulnerabilities in its SD-WAN products raises concerns about the security posture of Cisco's widely deployed networking solutions. Organizations relying on these products are urged to monitor Cisco's advisories closely for patch availability and implement available IoCs to protect their networks from further compromise.
The newly disclosed Cisco Catalyst SD-WAN Manager vulnerability, CVE-2026-20245, allows attackers to escalate privileges to root access. This flaw is actively being exploited in the wild, adding to the growing list of zero-day threats targeting Cisco's SD-WAN solutions this year.
This new report details that the vulnerability, CVE-2026-20245, has been actively exploited in the wild, with threat actors using it to push unauthorized configuration changes to SD-WAN edge devices. While Cisco has not yet released a dedicated patch for this specific flaw, they advise customers to upgrade to a previously released fixed software version referenced in a May 2026 advisory and to meticulously review logs for suspicious activity, such as the execution of specific scripts with unexpected file paths.