Cisco has confirmed active exploitation of the CVE-2026-20245 (CVSS 7.8) vulnerability in Cisco Catalyst SD-WAN Manager, which allows an authenticated local attacker to execute arbitrary commands with root privileges by uploading a specially crafted file. A patch is currently not available. The vulnerability affects all deployment types — from on-premises installations to cloud and government (FedRAMP) configurations. Cisco has recorded cases where exploitation led to the modification of edge device configurations, creating a direct threat to the integrity of the entire SD-WAN infrastructure.
Technical details of the vulnerability
According to the official Cisco advisory, the vulnerability is located in the command-line interface (CLI) of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). The root cause is insufficient validation of user input. By uploading a specially crafted file into the system, an attacker can perform command injection and escalate privileges to root level.
Affected deployment types:
- On-premises installations (On-Prem Deployment)
- Cisco SD-WAN Cloud-Pro
- Cisco SD-WAN Cloud (Cisco-managed)
- Cisco SD-WAN for Government (FedRAMP)
The key constraint: to exploit CVE-2026-20245, the attacker needs netadmin-level privileges. Cisco explicitly states that such access can be obtained in two ways — via valid credentials or by exploiting one of two authentication bypass vulnerabilities: CVE-2026-20182 or CVE-2026-20127. The company has not observed any other confirmed methods of gaining initial access.
Attack chain: from authentication bypass to root
It is precisely the combination of vulnerabilities that makes the situation particularly dangerous. CVE-2026-20182 (CVSS 10.0) is reported to be an authentication bypass that allows an unauthenticated remote attacker to obtain administrative privileges. A similar vulnerability in nature, CVE-2026-20127 (NVD), affects the same component. According to the source material, both vulnerabilities were exploited as zero-days.
Thus, a two-stage attack chain is formed:
- Initial access: exploitation of CVE-2026-20182 or CVE-2026-20127 for authentication bypass and obtaining administrative (netadmin) privileges
- Privilege escalation: uploading a malicious file via the CLI to exploit CVE-2026-20245 and gain root access
This chain turns a CVSS 7.8 vulnerability that requires local authentication into an effectively remote attack with full system compromise — provided the preceding authentication bypass vulnerabilities remain unpatched.
Observed activity and indicators of compromise
Cisco has reported a limited number of cases where exploitation of CVE-2026-20245 led to configuration changes propagated to edge devices. This means that attackers are not merely gaining access to the management platform, but are also able to influence the configuration of the entire SD-WAN fabric — routers and access points at the network edge.
The vulnerability was discovered and reported by Google Mandiant researchers — Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan. The parties responsible for the observed exploitation have not yet been identified.
To detect signs of compromise, Cisco recommends checking the /var/log/scripts.log file for suspicious entries. Example indicators:
- Entries with paths to non-standard files, for example:
/usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0 - Legitimate entries for comparison:
/usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh -cli path /home/admin/vsmart_serial_numbers_safe.csv - Legitimate entries:
/usr/bin/vconfd_script_upload_chassis_number_file.sh -cli path /home/admin/chassis_numbers_safe.csv
Special attention should be paid to non-standard file names in the upload-script arguments and to entries that do not match typical maintenance operations.
Scale of the problem: systemic Cisco SD-WAN crisis
According to the source material, CVE-2026-20245 has become the seventh Cisco SD-WAN vulnerability to be classified as actively exploited this year. Previously, attacks were observed via CVE-2026-20122, CVE-2026-20128, CVE-2026-20133 and CVE-2022-20775 — in addition to the aforementioned CVE-2026-20182 and CVE-2026-20127.
Such a concentration of actively exploited vulnerabilities in a single product indicates a sustained attacker interest in SD-WAN infrastructure as an entry point into corporate networks. SD-WAN management platforms control routing, security policies, and the configuration of dozens or hundreds of edge devices — compromising them gives the attacker leverage over the entire distributed network.
Cisco also warns that systems accessible from the internet are at increased risk of compromise.
Response recommendations
Since a patch for CVE-2026-20245 is currently not available and no workarounds have been proposed, priority actions focus on remediating the preceding vulnerabilities in the attack chain and on monitoring:
- Immediately apply the fixes for CVE-2026-20182, released on May 14, 2026. This blocks the primary vector for gaining the initial access required to exploit CVE-2026-20245
- Check the
/var/log/scripts.logfile on all SD-WAN Manager instances for anomalous entries with non-standard file paths - Restrict access to SD-WAN Manager from the internet — remove the management interface from public exposure if this has not yet been done
- Audit accounts with netadmin privileges — ensure there are no unauthorized accounts
- Review edge device configurations for unauthorized changes, given the confirmed cases of malicious configurations being pushed to edge devices
Organizations using Cisco Catalyst SD-WAN Manager in any deployment model must treat this situation as an incident requiring immediate response: active exploitation has been confirmed, no patch is available, and the only protection currently available is remediation of the preceding authentication vulnerabilities and enhanced monitoring. Priority number one is to ensure that fixes for CVE-2026-20182 are installed on all instances and that management interfaces are isolated from direct internet access.
