Cisco SD-WAN Manager Under Active Attack With No Patch (CVE-2026-20245)

Cisco has confirmed active exploitation of a high-severity vulnerability in Catalyst SD-WAN Manager. No patch exists. The flaw, CVE-2026-20245, scores 7.8 on the CVSS scale. An authenticated attacker can execute arbitrary commands as root by uploading a crafted file to the CLI.

The advisory language is clinical. “A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, allows an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system,” Cisco wrote. The root cause is insufficient input validation, which permits command injection and full privilege escalation.

The Authentication Catch

Netadmin privileges are required. That barrier seems solid. But Cisco admits those privileges can be obtained through valid credentials, or by chaining CVE-2026-20245 with companion vulnerabilities CVE-2026-20182 or CVE-2026-20127. The chain collapses quickly.

Rapid7 disclosed CVE-2026-20182 last month. CVSS 10.0. Unauthenticated remote attackers can gain administrative privileges. From there, pivoting to CVE-2026-20245 grants root command execution. Two bugs. Full compromise.

An attacker who lands on the SD-WAN Manager through the authentication bypass can upload a malicious file to the CLI. The system fails to sanitize the input properly. Commands execute as root. The attacker now controls the central orchestration point for the entire wide-area network.

Why Management Planes Stay Vulnerable

Enterprise networking has a recurring blind spot. Management interfaces with elevated privileges remain soft targets long after similar attack patterns have been documented. Threat actors stitch together medium-severity bugs into complete infrastructure compromise, particularly against edge-facing SD-WAN controllers that span cloud and on-prem environments.

Every deployment type is affected. On-Prem, Cloud-Pro, Cloud (Cisco Managed), and FedRAMP. All of them. Organizations running any of these configurations should treat their SD-WAN Manager as a critical attack surface. The fact that FedRAMP deployments are included raises the stakes for government contractors and agencies that rely on certified secure configurations.

Stopgaps While Waiting for the Patch

No patch for CVE-2026-20245. Restrict netadmin access to essential personnel. Monitor network traffic for CVE-2026-20182 exploitation indicators. Segment SD-WAN Manager instances from broader network access. These are temporary measures, not solutions.

“To exploit this vulnerability, the attacker must have netadmin privileges on the affected system,” Cisco added. “This would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco is not aware of successful exploitation by other methods.” That reassurance is thin. CVE-2026-20182 is public knowledge and actively discussed in security circles.

Administrators should also review access logs for unusual CLI file uploads and unexpected privilege escalation events. Network traffic analysis can help detect the initial authentication bypass. When the patch arrives, apply it immediately across all deployment types. SD-WAN management planes need network segmentation and privileged access monitoring, not just routine patch management.

Sources

1. https://nvd.nist.gov/vuln/detail/CVE-2026-20245
2. https://nvd.nist.gov/vuln/detail/CVE-2026-20182
3. https://nvd.nist.gov/vuln/detail/CVE-2026-20127