Cisco has issued a warning regarding an actively exploited high-severity security flaw in its Catalyst SD-WAN Manager. Known as CVE-2026-20245, this vulnerability has been assigned a CVSS score of 7.8, indicating its potential impact. The flaw affects various deployments, including On-Prem, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud, and Cisco SD-WAN for Government (FedRAMP).
Vulnerability Details and Impact
The vulnerability stems from inadequate validation of user-supplied input in the CLI of Cisco Catalyst SD-WAN Manager, previously called SD-WAN vManage. This loophole allows a local, authenticated attacker to execute arbitrary commands as the root user by introducing a crafted file to the compromised system. Exploiting this vulnerability requires netadmin privileges, which necessitates either valid credentials or leveraging other vulnerabilities like CVE-2026-20182 or CVE-2026-20127.
CVE-2026-20182, which carries a perfect CVSS score of 10.0, was identified by Rapid7 last month as an authentication bypass vulnerability that could enable remote attackers to gain administrative access without authentication. This vulnerability, along with CVE-2026-20127, has been exploited as zero-days in past incidents linked to a threat group known as UAT-8616.
Cisco’s Advisory and Recommendations
Cisco’s advisory highlights that they have noted a limited number of cases where CVE-2026-20245 exploitation led to configuration changes on edge devices. Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan were credited with identifying and reporting this issue. As of now, no patches or workarounds have been made available for this vulnerability.
Customers using affected systems are urged to upgrade their SD-WAN software to incorporate fixes released for CVE-2026-20182 on May 14, 2026. Cisco also advises that internet-exposed systems are particularly vulnerable and recommends monitoring the “/var/log/scripts.log” file for specific entries that could indicate compromise.
Context and Future Outlook
This recent disclosure of CVE-2026-20245 marks the seventh actively exploited flaw in Cisco SD-WAN products this year, following several other security lapses. Just days prior, Cisco addressed another critical vulnerability in its Unified Communications Manager (CVE-2026-20230), though there is no current evidence of its exploitation.
The continuous identification of such vulnerabilities underlines the importance of maintaining robust security protocols and prompt software updates. As threat actors increasingly exploit these vulnerabilities, organizations must remain vigilant and proactive in safeguarding their network systems.
