Cisco has alerted its customers to a newly discovered vulnerability in its SD-WAN products, marking the seventh such issue in 2026. The flaw, identified as CVE-2026-20245, remains unpatched and affects the command-line interface of Cisco Catalyst SD-WAN Manager.
Vulnerability Details and Exploitation
The vulnerability allows an authenticated local attacker to execute arbitrary root-level commands by leveraging specially crafted files. According to Cisco’s advisory, the issue stems from inadequate validation of user-input data. Attackers can exploit this by uploading a malicious file to the compromised system, potentially enabling them to conduct command injection attacks and escalate their privileges to root level.
To exploit this flaw, an attacker must possess ‘netadmin’ privileges. These can be obtained through compromised credentials or by exploiting other known SD-WAN vulnerabilities, such as CVE-2026-20182 and CVE-2026-20127. Cisco has clarified that aside from these methods, no other successful exploitation techniques have been observed.
Recent Exploitations and Security Measures
The company observed instances where the vulnerability led to unauthorized configuration changes on edge devices. Previously, CVE-2026-20182, a related authentication bypass vulnerability, was mitigated in May after being exploited by the threat actor UAT-8616. This actor had also exploited CVE-2026-20127 in their attacks on SD-WAN systems.
This latest zero-day was reported to Cisco by Mandiant, though specific details about the attacks remain undisclosed. Cisco’s PSIRT became aware of the exploitation in June, prompting rapid public disclosure of the issue. The firm is actively working on a patch for this vulnerability, which will be included in a future release of the Catalyst SD-WAN Manager. At present, there are no available workarounds.
Looking Ahead: Cisco’s Response and Future Patches
Cisco has provided indicators of compromise (IoCs) to help organizations detect any potential security breaches. Other vulnerabilities in the SD-WAN product line, such as CVE-2026-20128, CVE-2026-20122, and CVE-2026-20133, have also been identified as exploited in 2026. An older vulnerability, CVE-2022-20775, was similarly noted for being exploited this year.
As the company continues to address these security challenges, stakeholders are urged to remain vigilant and monitor for further updates from Cisco. The ongoing discovery of vulnerabilities highlights the need for robust cybersecurity measures in network management systems.
