Cisco Catalyst SD-WAN Manager CVE-2026-20245 Actively Exploited With No Patch Available

A high-severity privilege escalation vulnerability in Cisco Catalyst SD-WAN Manager is being actively exploited in the wild, and no patch currently exists to fix it. CVE-2026-20245, rated 7.8 on the CVSS scale, enables an attacker who holds local system access to execute arbitrary commands as root by uploading a specially crafted file to the affected platform. Cisco disclosed the active exploitation on June 6, 2026, crediting researchers at Google Mandiant with the discovery. With no remediation path available, every organization running a vulnerable deployment faces a straightforward and urgent problem: exposure confirmed, fix unavailable.

What CVE-2026-20245 Does and How Attackers Use It

The flaw resides in the command-line interface (CLI) of Cisco Catalyst SD-WAN Manager, the centralized management platform formerly marketed as SD-WAN vManage. The underlying weakness is insufficient validation of user-supplied input. When an attacker uploads a crafted file to the system, the platform fails to adequately sanitize its contents before processing them, enabling command injection that culminates in full root-level access on the affected host.

CVE-2026-20245 affects four deployment types: on-premises installations, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud managed by Cisco, and Cisco SD-WAN for Government operating under FedRAMP authorization. All four are confirmed as vulnerable.

Why the Authentication Requirement Is a Weak Barrier

Cisco’s advisory notes that exploitation requires the attacker to hold netadmin privileges on the target system. On the surface, that may sound like a meaningful constraint. In practice, it is not. Cisco itself confirmed that attackers can obtain the required access level by first exploiting two other vulnerabilities in the same platform, both of which are already under active exploitation. The authentication requirement is a gate that the broader attack chain has already learned to bypass.

The Three-Step SD-WAN Exploit Chain

To understand the real-world severity of CVE-2026-20245, the full attack sequence Cisco describes must be considered together.

The entry point is CVE-2026-20182, a CVSS 10.0 authentication bypass disclosed in May 2026 by Rapid7. It allows a remote, unauthenticated attacker to obtain full administrative privileges on vulnerable Cisco SD-WAN Manager systems with no credentials required. The alternative entry point is CVE-2026-20127, a comparable authentication bypass in the same component, disclosed earlier in 2026. Both have been exploited as zero-days in the wild.

Cisco confirmed that CVE-2026-20245 exploitation follows directly from abuse of either of these bypasses. The combined sequence runs: gain administrative access without valid credentials through CVE-2026-20182 or CVE-2026-20127 and then escalate to root-level command execution through CVE-2026-20245. No legitimate credentials are required at any stage. The netadmin access threshold, while technically real, is simply step two in a chain that starts from the public internet.

Threat Actor UAT-8616 and a Pattern of Sustained SD-WAN Targeting

Cisco SD-WAN management infrastructure has been a high-priority target for threat actors for years. The cluster UAT-8616 has been linked to exploitation of CVE-2026-20127 as far back as 2023, indicating a sustained and persistent focus on SD-WAN management platforms well before 2026. While Cisco has not publicly attributed the current exploitation of CVE-2026-20245 to a specific actor, the operational continuity suggests deliberate, organized targeting rather than opportunistic scanning.

The confirmed impact of the current exploitation is not trivial. In limited but verified cases, Cisco observed attackers using CVE-2026-20245 to push configuration changes to edge devices connected to the compromised SD-WAN manager. In an SD-WAN environment, control over edge device configurations means the ability to redirect traffic, disable security policies, modify routing, and establish persistence across an organization’s entire wide-area network. The blast radius of a successful compromise extends well beyond the management server itself.

Seven Actively Exploited SD-WAN Flaws in 2026 Alone

CVE-2026-20245 is the seventh vulnerability across Cisco SD-WAN products to be flagged as actively exploited in 2026. The preceding six are CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, and CVE-2022-20775. Seven actively exploited flaws in a single product line within a single calendar year is not background noise. It is a clear signal that Cisco SD-WAN infrastructure is a sustained, systematically targeted attack surface. Organizations still treating SD-WAN security as routine maintenance should reassess that posture immediately.

How Cisco Detected the Active Exploitation

The discovery and reporting of CVE-2026-20245 was credited to Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan. Cisco’s advisory included concrete indicators of compromise (IoCs), specifically log entries observable in the /var/log/scripts.log file on affected systems. The log patterns Cisco published show script execution involving file uploads to predictable home directory paths, providing defenders with actionable detection signatures they can run against existing log data to determine whether exploitation has already occurred in their environment.

No Patch Available: The Current Reality and Interim Guidance

As of June 6, 2026, Cisco has not released a patch for CVE-2026-20245 and has provided no specific mitigation that blocks the vulnerability directly. The most effective interim step available is ensuring that all software fixes for CVE-2026-20182, released on May 14, 2026, are fully deployed. Removing the authentication bypass that serves as the primary entry point significantly raises the bar for an attacker attempting to reach the privilege level CVE-2026-20245 requires.

Cisco also explicitly identified Internet-exposed SD-WAN Manager deployments as being at heightened risk. Any management interface reachable from the public internet should be treated as critically exposed until a direct patch is released.

Canadian Impact: SD-WAN Infrastructure, CCCS Guidance, and PIPEDA Obligations

Cisco SD-WAN is widely deployed across Canadian enterprise, telecommunications, financial services, and government environments. Federal departments, provincial agencies, and major Canadian carriers rely on SD-WAN management platforms to control distributed network infrastructure from coast to coast.

The Canadian Centre for Cyber Security (CCCS) has issued advisories on Cisco SD-WAN vulnerabilities in prior disclosure cycles and has consistently highlighted network infrastructure as a primary attack surface for both state-aligned actors and organized criminal groups. Canadian organizations running Cisco Catalyst SD-WAN Manager deployments should treat this not as a scheduled patch item but as an active threat requiring immediate investigation.

Under PIPEDA (Personal Information Protection and Electronic Documents Act), organizations handling personal information through a network infrastructure that is compromised must assess whether an incident has occurred and whether breach-of-safeguards reporting obligations are triggered. Cisco confirmed that in verified exploitation cases, attackers successfully pushed configuration changes to edge devices, representing exactly the kind of unauthorized access to network infrastructure that PIPEDA’s safeguard provisions are designed to address.

Canadian security teams should take three immediate steps: check /var/log/scripts.log files across all SD-WAN Manager instances for Cisco’s published IoC patterns, confirm that CVE-2026-20182 patches from May 14 are fully in place, and verify that no SD-WAN Manager management interface is directly reachable from the public internet.

Also Watching: Cisco UCM CVE-2026-20230 Has Public Exploit Code

Alongside the SD-WAN disclosures, Cisco recently patched a separate high-severity vulnerability in Unified Communications Manager, tracked as CVE-2026-20230 and carrying a CVSS score of 8.6. Cisco confirmed that proof-of-concept exploit code for this flaw is now publicly available. No active exploitation has been confirmed at the time of writing, but the public availability of working PoC code shortens the window considerably before real-world attempts begin. Organizations running Cisco UCM should apply available patches without delay.

---

Key Takeaways

• CVE-2026-20245 is a high-severity (CVSS 7.8) command injection and privilege escalation flaw in Cisco Catalyst SD-WAN Manager with no patch or direct mitigation currently available.
• Exploitation requires netadmin access, but attackers can acquire that access by first exploiting CVE-2026-20182 (CVSS 10.0) or CVE-2026-20127, both of which are already under confirmed active exploitation.
• In confirmed exploitation cases, attackers successfully pushed configuration changes to SD-WAN edge devices, demonstrating meaningful network-wide impact beyond the management server.
• Threat actor UAT-8616 has been linked to exploitation of related SD-WAN vulnerabilities dating back to at least 2023, indicating sustained, deliberate targeting of this platform.
• CVE-2026-20245 is the seventh actively exploited Cisco SD-WAN vulnerability in 2026, confirming a concentrated and ongoing threat campaign against this product line.
• Canadian organizations running Cisco SD-WAN in enterprise, government, or critical infrastructure environments should audit logs for IoCs in /var/log/scripts.log, apply CVE-2026-20182 patches, and remove management interfaces from public internet exposure immediately.
• A separate Cisco UCM flaw, CVE-2026-20230 (CVSS 8.6), now has publicly available PoC exploit code and should be patched urgently before active exploitation begins.

---

What You Should Do Now

1. Audit SD-WAN Manager logs immediately. Review /var/log/scripts.log every Cisco Catalyst SD-WAN Manager system for the suspicious script execution patterns, Cisco published in its advisory. Pay particular attention to entries referencing unexpected file uploads or script execution from home directory paths. This log check can reveal whether exploitation has already occurred in your environment.
2. Confirm CVE-2026-20182 patches are fully applied. Ensure all SD-WAN software updates released on May 14, 2026, addressing CVE-2026-20182, are deployed across every affected system. These patches remove the primary unauthenticated entry point that precedes CVE-2026-20245 exploitation in the attack chain.
3. Remove SD-WAN Manager interfaces from public internet exposure. Any Cisco Catalyst SD-WAN Manager management interface reachable from the public internet must be isolated behind a firewall or VPN without delay. Cisco explicitly named internet exposure as a heightened risk factor for active exploitation.
4. Restrict netadmin privileges through least-privilege access controls. Audit all accounts holding netadmin-level access on SD-WAN Manager systems. Reduce this group to the minimum required, enforce multi-factor authentication on all administrative sessions, and review recent login activity for anomalies.
5. Review edge device configurations against known-good baselines. Cisco confirmed that attackers used CVE-2026-20245 to push configuration changes to connected edge devices in verified cases. Compare current edge device configurations against trusted baselines and investigate any unauthorized changes, even those that appear minor.
6. Assess PIPEDA reporting obligations if compromise indicators are found. Canadian organizations that identify IoCs matching the patterns Cisco published should involve their privacy officer or legal counsel immediately to determine whether a security safeguard breach assessment and potential reporting obligation arise under PIPEDA.
7. Patch Cisco UCM for CVE-2026-20230 without waiting. Apply available patches for CVE-2026-20230 in all Unified Communications Manager deployments. Public PoC exploit code is already in circulation, which significantly reduces the time before active exploitation is likely. Do not wait for confirmed in-the-wild reports before acting.