Cisco warns of unpatched SD-WAN zero-day exploited in attacks
Cisco has disclosed a critical, unpatched zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager that is actively exploited in the wild. The flaw allows local attackers with netadmin privileges to perform command injection attacks, leading to root privilege escalation by uploading crafted files. Exploitation requires valid credentials or prior exploitation of related vulnerabilities (CVE-2026-20182 or CVE-2026-20127). The vulnerability affects all deployment types of the product, including on-premises and cloud-managed versions. Cisco has not yet released a patch for this zero-day but advises monitoring for indicators of compromise and engaging Cisco TAC for incident response support. The vendor has released patches for related vulnerabilities but this specific flaw remains unpatched at this time.
AI Analysis
Technical Summary
CVE-2026-20245 is a critical zero-day vulnerability in Cisco Catalyst SD-WAN Manager that enables local attackers with netadmin privileges to escalate to root by exploiting insufficient validation of user-supplied input. Attackers can upload specially crafted files to trigger command injection and execute arbitrary commands as root. Exploitation requires either valid netadmin credentials or prior exploitation of other zero-days (CVE-2026-20182 or CVE-2026-20127). The vulnerability impacts all deployment types of Cisco SD-WAN Manager, including on-premises and cloud-managed environments. Cisco is aware of active exploitation but has not yet released a patch. Administrators are advised to check logs for suspicious tenant configuration uploads and contact Cisco TAC for assistance.
Potential Impact
Successful exploitation allows attackers with netadmin privileges to execute arbitrary commands as root on affected Cisco Catalyst SD-WAN Manager systems, potentially leading to full system compromise and unauthorized configuration changes pushed to edge devices. The vulnerability affects all deployment types, increasing the scope of impact. Exploitation requires prior access or credential compromise, limiting attack vectors to those with some level of system access or who have exploited related vulnerabilities. Cisco has observed limited cases of exploitation resulting in configuration changes, indicating active targeted attacks.
Mitigation Recommendations
As of the advisory date, no security patches are available for CVE-2026-20245. Cisco recommends monitoring the /var/log/scripts.log file for suspicious tenant configuration uploads indicative of exploitation attempts. Administrators should collect admin-tech files and open a case with Cisco TAC for assistance in investigating potential compromises. Cisco advises upgrading to fixed software versions for related vulnerabilities (CVE-2026-20182) to reduce attack surface. Organizations should ensure strict control of netadmin credentials and monitor for signs of credential compromise. Patch status is not yet confirmed for this zero-day — check Cisco's official advisory regularly for updates on remediation.
Cisco warns of unpatched SD-WAN zero-day exploited in attacks
Description
Cisco has disclosed a critical, unpatched zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager that is actively exploited in the wild. The flaw allows local attackers with netadmin privileges to perform command injection attacks, leading to root privilege escalation by uploading crafted files. Exploitation requires valid credentials or prior exploitation of related vulnerabilities (CVE-2026-20182 or CVE-2026-20127). The vulnerability affects all deployment types of the product, including on-premises and cloud-managed versions. Cisco has not yet released a patch for this zero-day but advises monitoring for indicators of compromise and engaging Cisco TAC for incident response support. The vendor has released patches for related vulnerabilities but this specific flaw remains unpatched at this time.
Reddit Discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-20245 is a critical zero-day vulnerability in Cisco Catalyst SD-WAN Manager that enables local attackers with netadmin privileges to escalate to root by exploiting insufficient validation of user-supplied input. Attackers can upload specially crafted files to trigger command injection and execute arbitrary commands as root. Exploitation requires either valid netadmin credentials or prior exploitation of other zero-days (CVE-2026-20182 or CVE-2026-20127). The vulnerability impacts all deployment types of Cisco SD-WAN Manager, including on-premises and cloud-managed environments. Cisco is aware of active exploitation but has not yet released a patch. Administrators are advised to check logs for suspicious tenant configuration uploads and contact Cisco TAC for assistance.
Potential Impact
Successful exploitation allows attackers with netadmin privileges to execute arbitrary commands as root on affected Cisco Catalyst SD-WAN Manager systems, potentially leading to full system compromise and unauthorized configuration changes pushed to edge devices. The vulnerability affects all deployment types, increasing the scope of impact. Exploitation requires prior access or credential compromise, limiting attack vectors to those with some level of system access or who have exploited related vulnerabilities. Cisco has observed limited cases of exploitation resulting in configuration changes, indicating active targeted attacks.
Mitigation Recommendations
As of the advisory date, no security patches are available for CVE-2026-20245. Cisco recommends monitoring the /var/log/scripts.log file for suspicious tenant configuration uploads indicative of exploitation attempts. Administrators should collect admin-tech files and open a case with Cisco TAC for assistance in investigating potential compromises. Cisco advises upgrading to fixed software versions for related vulnerabilities (CVE-2026-20182) to reduce attack surface. Organizations should ensure strict control of netadmin credentials and monitor for signs of credential compromise. Patch status is not yet confirmed for this zero-day — check Cisco's official advisory regularly for updates on remediation.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":46,"reasons":["external_link","newsworthy_keywords:exploit,zero-day,patch","urgent_news_indicators","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["exploit","zero-day","patch"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a22b404e29bf47b506177a8
Added to database: 6/5/2026, 11:33:24 AM
Last enriched: 6/5/2026, 11:33:32 AM
Last updated: 6/5/2026, 5:37:33 PM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.