HIGH: Cisco Catalyst SD-WAN Manager Zero-Day Under Active Exploitation, No Patch Available (CVE-2026-20245)

There's a grim familiarity to writing about Cisco SD-WAN zero-days at this point. CVE-2026-20245 marks the seventh actively exploited flaw in the Catalyst SD-WAN Manager platform since 2023, which is roughly one every six months for anyone keeping score at home. Cisco's Product Security Incident Response Team confirmed on June 4 that attackers are abusing the vulnerability in the wild to elevate themselves to root on the centralized management plane that runs entire enterprise wide area networks. The patch situation is the part that should keep network operators awake. There isn't one yet, and Cisco has not committed to a specific release date.

The flaw itself carries a CVSS score of 7.8, which technically puts it in high rather than critical territory, but treat that number with a healthy dose of context. The vulnerability lives in the command-line interface of SD-WAN Manager and stems from insufficient validation of user-supplied input. An authenticated local attacker with netadmin credentials can upload a crafted file that triggers command injection inside the underlying CLI handlers, escalating from a constrained administrative role to full root on the host. Once you have root on the manager, you own the policy plane for every edge device in the fabric. Cisco has already documented limited cases where exploitation led directly to configuration changes pushed out to edge routers, which is exactly the worst-case outcome anyone running a managed SD-WAN deployment should be modeling.

The "authenticated, local" framing is doing a lot of work in the CVSS calculation, and it's worth unpacking why that framing understates the real-world risk. Netadmin is an elevated role on SD-WAN Manager, but two recent Cisco SD-WAN bugs make obtaining that role a serious problem. CVE-2026-20182 is a CVSS 10.0 authentication bypass that Cisco patched on May 14, and CVE-2026-20127 is an even older authentication bypass that has been exploited in the wild since 2023. Chain either of those with CVE-2026-20245 and the picture changes from a privileged insider abusing access to an unauthenticated remote attacker walking from the internet to root with two API calls. Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan reported the chain to Cisco after observing exploitation in customer environments, which is how this advisory came to exist in the first place.

The affected scope is essentially everyone running Catalyst SD-WAN Manager regardless of how they consume it. The advisory covers on-premises deployments, the Cisco SD-WAN Cloud-Pro service, the fully managed Cisco SD-WAN Cloud offering, and the FedRAMP-authorized Cisco SD-WAN for Government tier. There is no version that is currently safe. Cisco hosted customers benefit from the vendor managing controller patches when they ship, but anyone running on-prem or in Cloud-Pro is responsible for their own remediation timeline and has nothing to apply at the moment beyond the May fix for CVE-2026-20182. That earlier patch is the single most important compensating control available right now because it closes the authentication bypass that turns the privileged-access requirement of CVE-2026-20245 into a paper tiger.

If you are running any version of SD-WAN Manager on hardware you control and you have not yet applied the May 14 update for CVE-2026-20182, stop reading and go do that. That is the only meaningful preventive action available until Cisco ships a patch for the new flaw. Beyond patching the auth bypass, the practical hardening playbook is the same one you should have applied to any management plane that touches the internet. Restrict access to the SD-WAN Manager web and API interfaces to a small allowlist of administrative jump hosts. Place the manager behind a VPN or zero trust proxy rather than exposing it directly. Rotate netadmin credentials and enforce multifactor authentication on the management interface, ideally tied to a hardware token rather than push notifications. Review which accounts actually need netadmin and prune the list aggressively, because every additional privileged user is an additional credential that can be phished, stuffed, or stolen.

Detection is where defenders have the most leverage right now. Cisco published unusually specific indicators of compromise, which suggests the active campaign has a recognizable behavioral fingerprint rather than relying on novel obfuscation. The exploit chain leaves traces in /var/log/scripts.log on the SD-WAN Manager host, specifically referencing legitimate utility scripts being invoked in suspicious patterns. The names to watch for include /usr/bin/vconfd_script_upload_tenant_list.sh, /usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh, and /usr/bin/vconfd_script_upload_chassis_number_file.sh. These scripts have legitimate purposes during normal tenant management, so the goal is not to alert on any invocation but to flag unusual timing, unexpected source users, or unexpected configuration payloads. If your SIEM is not already shipping scripts.log from SD-WAN Manager, add it tonight and build correlation rules around those three filenames with a baseline of normal admin activity over the last 30 days.

The bigger question, and one that customers are starting to ask out loud, is whether the SD-WAN Manager codebase has a structural problem with input validation in its administrative interfaces. Seven actively exploited zero-days in roughly three years is not a streak that can be explained away by bad luck. The CLI input validation issue at the heart of CVE-2026-20245 looks suspiciously similar to several of the earlier flaws in the same series, which suggests Cisco's internal hardening efforts are playing whack-a-mole against a class of bug rather than systematically eliminating it. From a risk management perspective this matters because it changes the calculus on planned mitigations. If you assume an eighth zero-day is coming sometime in the next eighteen months, network segmentation around the SD-WAN Manager becomes a long-term architectural requirement rather than a short-term workaround.

Cisco has not provided a public timeline for the patch, which is unusual for an actively exploited issue and probably reflects the difficulty of fixing a deep input validation problem without introducing regressions in a product line that runs critical infrastructure for thousands of enterprises. Customers under support contracts should reach out to their TAC representative for individual guidance and any private advisories that might be available. Federal agencies and FedRAMP customers in particular should be prepared for CISA to add CVE-2026-20245 to the Known Exploited Vulnerabilities catalog imminently, which would trigger a 21-day remediation requirement under BOD 22-01. Given that there is no patch available, the only way to meet that deadline would be to disconnect or heavily isolate the management plane, which is not a trivial operational change for an organization that depends on SD-WAN for branch connectivity.

For managed service providers and security consultancies, this advisory is a textbook case of how a single critical management plane vulnerability turns into a service revenue opportunity. Clients running SD-WAN are typically mid-market and enterprise organizations with limited internal expertise in network security architecture, and most of them have never seriously audited which IP addresses can reach their SD-WAN Manager interfaces. A focused engagement that audits SD-WAN exposure, applies the May CVE-2026-20182 patch, implements scripts.log monitoring, and produces a documented remediation plan for the inevitable CVE-2026-20245 patch is the kind of work that justifies a premium rate and demonstrates obvious value. Build the offering now while the news cycle is fresh.