Cisco Warns of Actively Exploited, Unpatched SD-WAN Zero-Day

Cisco has issued a security warning for a high-severity, unpatched zero-day vulnerability affecting Cisco Catalyst SD-WAN Manager. The flaw, tracked as CVE-2026-20245, is currently being exploited in active attacks and can allow attackers to escalate privileges to root.

The vulnerability affects all deployment types, including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud — Cisco Managed, and Cisco SD-WAN for Government — FedRAMP.

According to Cisco’s advisory, the issue is caused by insufficient validation of user-supplied input. A local attacker with low-level privileges could exploit the vulnerability by uploading a specially crafted file to an affected system. Successful exploitation could allow the attacker to execute arbitrary commands as root.

Cisco noted that exploitation requires the attacker to already have netadmin privileges on the affected system. This access would require valid credentials or prior exploitation of other vulnerabilities, such as CVE-2026-20182 or CVE-2026-20127. Cisco stated it is not aware of successful exploitation by any other method.

The company also reported limited cases where exploitation of this vulnerability resulted in configuration changes being pushed to edge devices.

Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vManage, is used by administrators to monitor and manage large SD-WAN environments, supporting up to 6,000 Catalyst SD-WAN devices from a single dashboard.

Cisco’s Product Security Incident Response Team became aware of active exploitation in June after the vulnerability was reported by Mandiant, a Google Cloud cybersecurity subsidiary. Mandiant has not publicly disclosed technical details of the flaw.

Cisco has shared indicators of compromise and recommends that administrators review the SD-WAN /var/log/scripts.log file for suspicious activity. Specifically, customers should look for attempts to upload tenant configuration data to vSmart controllers as a method of privilege escalation through legitimate commands.

An example log entry provided by Cisco is:

Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0

Cisco advises customers who suspect compromise to open a case with Cisco TAC. The company also recommends collecting admin-tech files before contacting support to assist with the investigation.

Security patches for CVE-2026-20245 are not yet available. In the meantime, Cisco recommends that customers upgrade to software versions that include fixes for CVE-2026-20182, which was patched on May 14.

Cisco has disclosed several actively exploited Catalyst SD-WAN vulnerabilities in recent months. In February, the company patched an information disclosure flaw, CVE-2026-20133, which CISA later added to its Known Exploited Vulnerabilities catalog. CISA also warned that CVE-2026-20128 and CVE-2026-20122 were being exploited in the wild.

In March, Cisco addressed a critical authentication bypass vulnerability, CVE-2026-20127, which had reportedly been exploited as a zero-day since at least 2023.

Over the past several years, CISA has identified 90 Cisco vulnerabilities as actively exploited, including multiple flaws affecting Cisco Catalyst SD-WAN Manager and several others associated with ransomware operations.