Cisco SD-WAN Zero-Day Exploited for Root Access — No Patch

Cisco disclosed a seventh SD-WAN zero-day this year—and this one is already being exploited in the wild with no patch in sight.

CVE-2026-20245 is a command injection vulnerability in the CLI of Cisco Catalyst SD-WAN Manager. Attackers who have obtained netadmin credentials can upload a crafted file to execute arbitrary commands as root, giving them complete control over affected deployments.

Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan discovered and reported the flaw. Cisco confirmed limited exploitation has already occurred, including incidents where attackers pushed malicious configuration changes to downstream edge devices.

How the Attack Works

The vulnerability stems from insufficient validation of user-supplied input in the SD-WAN Manager CLI. An authenticated attacker uploads a specially crafted file through the CLI workflow, triggering command injection that escalates to root privileges.

The catch: attackers need netadmin credentials first. But that bar is lower than it sounds. Threat actors can obtain these credentials through:

1. Credential theft from prior compromises or phishing
2. Chaining with CVE-2026-20182 — the authentication bypass we covered in May that CISA added to its KEV catalog
3. Exploiting CVE-2026-20127 — another auth flaw that a "highly sophisticated" threat actor has leveraged since 2023

Once inside, the path to root is straightforward.

Every Deployment Type Affected

The vulnerability impacts all Cisco SD-WAN Manager deployment models:

• On-premises installations
• Cisco SD-WAN Cloud-Pro
• Cisco SD-WAN Cloud (Cisco Managed)
• Cisco SD-WAN for Government (FedRAMP)

There is no safe harbor. If you run SD-WAN Manager, you are potentially exposed.

No Patch, No Workaround

At disclosure, Cisco had not released a fix. There are no workarounds. The company recommends:

1. Upgrade to versions that patch CVE-2026-20182 (released May 14) to close the auth bypass path
2. Run request admin-tech before any upgrades to preserve forensic evidence
3. Audit edge device configurations for unauthorized changes
4. Contact Cisco TAC if you suspect compromise

Administrators should examine /var/log/scripts.log for suspicious entries. One signature to watch for:

vmanage vScript: Tenant list upload per vsmart serial number

This indicates potential malicious uploads to vSmart controllers.

Why This Keeps Happening

CVE-2026-20245 is the seventh exploited SD-WAN flaw disclosed in 2026. The pattern is concerning: Cisco's SD-WAN stack has become a reliable target for attackers who understand that network management infrastructure provides high-value access with broad lateral movement potential.

Each new vulnerability chains nicely with previous ones. Attackers who exploited CVE-2026-20182 for initial access now have CVE-2026-20245 to escalate to root. The cumulative effect creates a persistent threat that defenders struggle to contain.

Detection and Response

Beyond log monitoring, organizations should:

• Review all netadmin account activity for anomalies
• Audit recent configuration changes pushed to edge devices
• Check for unauthorized files in CLI upload directories
• Correlate with prior SD-WAN vulnerability IOCs from earlier 2026 disclosures

For organizations running Cisco Unified Communications infrastructure alongside SD-WAN, the exposure compounds—both product lines have seen critical flaws this month.

The Bigger Picture

Cisco's SD-WAN troubles reflect a broader trend: network infrastructure has become a primary attack surface. Appliances that manage traffic flow, routing, and edge connectivity offer attackers exactly what they want—central control over distributed networks.

The lack of immediate patches for critical infrastructure vulnerabilities is particularly frustrating. Organizations that followed best practices and deployed SD-WAN for its security and visibility benefits now face a period of exposure with no clear remediation timeline.

Until Cisco releases a fix, the only real mitigation is defense in depth: restrict netadmin access to the absolute minimum, monitor aggressively, and assume that determined attackers will find a way in.