CVE-2026-20245: The Seventh Actively Exploited Zero-Day in Cisco SD-WAN Enables Root Command Execution — No Patch Available
CVE-2026-20245: The Seventh Actively Exploited Zero-Day in Cisco SD-WAN Enables Root Command Execution — No Patch Available
Publication date: June 7, 2026 Category: Information Security · Network Security · Vulnerabilities
Context: Cisco’s SD-WAN Ecosystem Under Sustained Fire
On June 5, 2026, Cisco disclosed CVE-2026-20245, a high-severity vulnerability with a CVSS score of 7.8 in the CLI of Cisco Catalyst SD-WAN Manager (formerly known as SD-WAN vManage). The flaw, classified under CWE-116 (Improper Encoding or Escaping of Output), allows an authenticated attacker with netadmin privileges to execute arbitrary commands as root by uploading a specially crafted file to the affected system.
What makes this case especially critical is not the vulnerability in isolation, but the context in which it surfaces: this is the seventh flaw in Cisco’s SD-WAN infrastructure to be actively exploited in 2026 alone, and it adds to a chain of prior vulnerabilities that attackers are already leveraging as entry points. Cisco confirmed having observed real-world exploitation cases in which the flaw led to unauthorized configuration changes being pushed to edge devices — with no patches available at the time of disclosure.
The vulnerability was discovered and responsibly reported by Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan.
At the time of this publication, no patches or direct mitigations exist for CVE-2026-20245.
The Technical Problem: Command Injection Through the CLI
CVE-2026-20245 resides in the command-line interface (CLI) of Cisco Catalyst SD-WAN Manager and stems from insufficient validation of user-supplied input during the processing of files uploaded to the system.
The exploitation mechanism is straightforward: an attacker with netadmin access can upload a specially crafted file — such as a malicious CSV — which is processed by internal system scripts like /usr/bin/vconfd_script_upload_tenant_list.sh. These scripts fail to properly sanitize the input before execution, resulting in command injection that escalates the attacker’s privileges to root, granting full control over the SD-WAN management plane and the ability to propagate configuration changes to all managed edge devices.
Once root access is obtained over SD-WAN Manager, the potential impact includes:
- Modification of routing tables and traffic policies across the entire SD-WAN fabric
- Access to credentials stored on the control plane
- Long-term persistence within the corporate network infrastructure
- Pivoting toward internal systems protected behind the SD-WAN perimeter
The flaw affects all Cisco SD-WAN Manager deployment types: On-Prem, SD-WAN Cloud-Pro, SD-WAN Cloud (Cisco Managed), and SD-WAN for Government (FedRAMP).
The Attack Chain: CVE-2026-20245 Does Not Operate in Isolation
The netadmin access prerequisite may appear to be a sufficient barrier, but in practice it is not. Cisco explicitly acknowledges that an attacker can obtain the required privileges through two prior critical vulnerabilities, both already under active exploitation:
CVE-2026-20127 (CVSS 10.0) — Authentication Bypass in the SD-WAN Controller
A maximum-severity authentication bypass that allows an unauthenticated remote attacker to gain high-privileged internal access by sending crafted requests to the SD-WAN Controller. This flaw has been actively exploited in zero-day attacks since at least 2023, linked to the threat activity cluster tracked as UAT-8616.
CVE-2026-20182 (CVSS 10.0) — Authentication Bypass in the vdaemon Service (DTLS/UDP Port 12346)
A second maximum-severity authentication bypass in the SD-WAN Controller’s vdaemon service, disclosed in May 2026 by Rapid7. This flaw injects an attacker-controlled SSH key into the vmanage-admin account, granting persistent NETCONF access to the control plane. It was also exploited as a zero-day before patches were available.
The resulting attack chain is as follows:
CVE-2026-20127 / CVE-2026-20182 → netadmin access to SD-WAN Manager → CVE-2026-20245 → Root command execution
(Unauthenticated remote auth bypass) (Control plane privileges) (Command injection via file upload) (Full management plane compromise)
This chained attack architecture is precisely what Cisco describes in its advisory when stating that it is not aware of successful exploitation of CVE-2026-20245 through any method other than valid credentials or the two bypass vulnerabilities listed above.
Active Exploitation: What Cisco Confirmed
The confirmation of exploitation in real-world environments is one of the most significant elements of this advisory. Cisco reported observing limited cases in which successful exploitation of CVE-2026-20245 resulted in unauthorized configuration changes being pushed to SD-WAN edge devices.
In practical terms, this means at least one threat actor successfully:
- Gained netadmin access to SD-WAN Manager, presumably through the prior authentication bypass vulnerabilities
- Uploaded a malicious file to exploit CVE-2026-20245 and obtain root
- Modified network configuration and propagated those changes to edge devices
The identity of the actor behind the active exploitation of CVE-2026-20245 has not been publicly disclosed. However, given UAT-8616’s documented history with CVE-2026-20127, it is reasonable to consider that advanced persistent threat (APT) actors are actively targeting Cisco’s SD-WAN ecosystem as a strategic priority.
Indicators of Compromise (IoCs)
Cisco provided specific log entries that may indicate active exploitation. Administrators should review the /var/log/scripts.log file on their SD-WAN Manager instances for entries such as the following:
Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0
Jun 5 13:06:39 Manager vScript: vSmart upload serial numbers: /usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh -cli path /home/admin/vsmart_serial_numbers_safe.csv
Jun 5 13:08:47 Validator vScript: ZTP upload chassis numbers: /usr/bin/vconfd_script_upload_chassis_number_file.sh -cli path /home/admin/chassis_numbers_safe.csv
The presence of unusual file paths in the -cli path parameter — particularly pointing to CSV files in user directories such as /home/admin/ — should be treated as a potential indicator of exploitation until proven otherwise.
⚠️ Critical warning: If logs confirm a compromise, simply applying the patch when it becomes available will not resolve the issue. Cisco explicitly states that in confirmed compromise cases, customers must open a case with the Cisco Technical Assistance Center (TAC) to receive environment-specific remediation guidance.
Recommendations for Security Teams
In the absence of a patch for CVE-2026-20245, Cisco and the broader security community have documented the following immediate actions:
Step 1: Preserve Evidence Before Any Changes
Before performing any upgrade, generate an admin-tech file from each control component in the SD-WAN deployment to preserve potential forensic evidence:
request admin-tech
This command must be run from each active SD-WAN Manager, Controller, and Validator in the environment.
Step 2: Apply Patches for CVE-2026-20182
Cisco recommends upgrading to the software that incorporates the fixes for CVE-2026-20182 (released May 14, 2026). While these patches do not directly address CVE-2026-20245, they eliminate the primary access vector attackers are using to chain exploitation.
Step 3: Verify Edge Device Configurations
Review all configurations of edge devices managed by SD-WAN Manager for unauthorized changes. This means comparing the current state against established configuration baselines, with particular attention to changes in routing, templates, and traffic policies.
For System Administrators
- Restrict access to SD-WAN Manager to dedicated administrative networks. Internet-exposed systems carry a significantly elevated risk of compromise.
- Enforce strong authentication for netadmin accounts, including multi-factor authentication wherever technically feasible.
- Centralize log collection from SD-WAN Manager and Controllers into a SIEM for event correlation and detection of anomalous file upload patterns through the CLI.
- Actively monitor Cisco PSIRT channels for the publication of the specific patch for CVE-2026-20245.
- Verify that CVE-2026-20127 and CVE-2026-20182 are fully remediated across all SD-WAN components. If either vulnerability remains unpatched, the attack surface toward CVE-2026-20245 remains completely open.
Analysis: An Ecosystem Under Systematic Siege
CVE-2026-20245 cannot be evaluated in isolation. It is part of a pattern that has become impossible to ignore in 2026: seven actively exploited vulnerabilities in the Cisco SD-WAN ecosystem in under six months.
The history of prior flaws illustrates the depth of the problem:
| CVE | CVSS | Type | Status |
|---|---|---|---|
| CVE-2026-20127 | 10.0 | Auth bypass in SD-WAN Controller | Exploited since 2023; patch available |
| CVE-2026-20133 | High | Information disclosure in SD-WAN Manager | Patch available; CISA flagged in April |
| CVE-2026-20122 | High | Privilege escalation | Patch available |
| CVE-2026-20128 | High | Privilege escalation | Patch available |
| CVE-2022-20775 | High | Historical flaw | Active exploitation documented in 2026 |
| CVE-2026-20182 | 10.0 | Auth bypass in vdaemon | Patch available since May 14, 2026 |
| CVE-2026-20245 | 7.8 | Command injection / LPE | No patch available |
This pattern is not random. Advanced actors — including APT groups with state nexuses such as the UAT-8616 cluster — have identified SD-WAN infrastructure as a high-value strategic target. Compromising the management plane is equivalent to compromising visibility and control over an organization’s entire network fabric.
From a threat architecture perspective, Cisco SD-WAN Manager occupies the same space as other historically preferred targets for sophisticated actors: centralized management systems that, once compromised, provide lateral movement into every segment they administer. The distinction from a firewall or VPN concentrator is that SD-WAN Manager has the native capability to dynamically reconfigure the network and propagate those changes to thousands of edge devices, turning control plane compromise into a weapon with massive reach.
The accumulation of seven exploited vulnerabilities in a single component in one year also raises questions about security code review practices in critical infrastructure projects. These are not merely isolated flaws; they represent a systemic pattern that suggests accumulated security technical debt across multiple development cycles.
The window between disclosure and mass exploitation has closed. With active exploitation confirmed on the day of disclosure — and with UAT-8616 having operated against this component since at least 2023 — defensive teams cannot treat this as routine patch management. Every unpatched SD-WAN Manager instance exposed beyond a dedicated administrative network should be treated as a potential active incident until proven otherwise.
Incident Timeline
| Date | Event |
|---|---|
| At least since 2023 | UAT-8616 exploits CVE-2026-20127 in zero-day attacks |
| February 2026 | Cisco patches CVE-2026-20133; CISA flags it as actively exploited in April |
| February 2026 | Cisco discloses and patches CVE-2026-20127 |
| May 2026 | Rapid7 discloses CVE-2026-20182; Cisco publishes patches on May 14 |
| May 2026 | CISA adds CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 to the KEV catalog |
| June 2026 (before the 5th) | Cisco PSIRT is notified by Google Mandiant researchers |
| June 5, 2026 | Cisco discloses CVE-2026-20245 with confirmed active exploitation; no patch available |
| Pending | Publication of specific patch for CVE-2026-20245 |
Wrapping Up…
CVE-2026-20245 represents more than a technically high-severity vulnerability: it is the latest manifestation of a sustained campaign against critical network infrastructure that has been developing for years. The fact that this is the seventh actively exploited flaw in the same ecosystem in 2026, combined with the absence of a patch at the time of disclosure and the confirmation of real compromise in production environments, places SD-WAN network administrators in a defensive posture that demands immediate action.
The operational lesson is clear: in environments where the absence of a patch makes it impossible to eliminate the flaw directly, the defensive perimeter must be built on removing or mitigating the prerequisite access vectors — CVE-2026-20182 and CVE-2026-20127 — restricting access to the management plane, and maintaining active vigilance over the documented indicators of compromise. Applying the CVE-2026-20182 patch is not just a fix for a prior vulnerability; in this context, it is also the most effective mitigation currently available against CVE-2026-20245 while the specific patch remains unavailable.
When the patch arrives, prior detection and containment will be the difference between a contained incident and a compromise requiring complete network infrastructure recovery.
Sources consulted:
- Cisco PSIRT. “Cisco Catalyst SD-WAN Manager Authenticated Privilege Escalation Vulnerability” — Cisco Security Advisory (cisco-sa-sdwan-privesc-4uxFrdzx), published June 5, 2026
- Lakshmanan, R. “Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available” — The Hacker News (June 6, 2026)
- Gatlan, S. “Cisco warns of unpatched SD-WAN zero-day exploited in attacks” — BleepingComputer (June 5, 2026)
- Zorz, Z. “Cisco SD-WAN 0-day exploited, no patch available (CVE-2026-20245)” — Help Net Security (June 5, 2026)
- CyberPress. “Cisco SD-WAN Flaw Exploited to Execute Root-Level Commands” — CyberPress (June 2026)
- SOC Prime. “CVE-2026-20245: Cisco SD-WAN Manager Zero-Day Enables Root Command Execution” — SOC Prime (June 2026)
- Rescana. “Active Exploitation Alert: Cisco Catalyst SD-WAN Manager CVE-2026-20245 Zero-Day Under Attack With No Patch Available” — Rescana (June 2026)
- Field Effect. “Active exploitation of unpatched Cisco SD-WAN Manager flaw” — Field Effect (June 2026)