AIO APEX
Security

A Zero-Day in Cisco's SD-WAN Manager Is Being Exploited Right Now — and There's No Patch

Share:
A Zero-Day in Cisco's SD-WAN Manager Is Being Exploited Right Now — and There's No Patch

Cisco issued an emergency advisory Thursday warning of an actively exploited zero-day vulnerability in its Catalyst SD-WAN Manager — the centralized controller used to manage wide-area network infrastructure across enterprise environments. No patch exists. The company is telling customers to work around a different vulnerability as a partial mitigation while the fix is developed.

The vulnerability, tracked as CVE-2026-20245, carries a severity score of 7.8. It affects the command-line interface of Cisco Catalyst SD-WAN Manager across all deployment types: on-premises, cloud, Cisco-managed cloud, and FedRAMP government environments.

How It Works

The flaw stems from insufficient validation of user-supplied input. An attacker who has already obtained netadmin privileges — through valid credentials, credential theft, or by chaining this exploit with a separate authentication bypass flaw, CVE-2026-20182 — can upload a specially crafted file to the system. That upload triggers a command injection that escalates the attacker's access to root on the SD-WAN Manager host.

From there, the damage compounds quickly: Cisco has confirmed "limited instances" in which active exploitation led to unauthorized configuration changes being pushed to edge devices across the affected organization's wide-area network. That is not a theoretical risk — it is what attackers have already done.

The vulnerability was discovered and reported to Cisco's Product Security Incident Response Team by Mandiant, Google Cloud's cybersecurity subsidiary, earlier in June.

What to Do Right Now

Cisco's advisory does not offer a patch for CVE-2026-20245 directly. Instead, the company recommends upgrading to software versions that resolve two prior vulnerabilities — CVE-2026-20182 and CVE-2026-20127 — which can serve as preconditions for the attack chain. Fixing those entry points removes one of the primary ways attackers gain the netadmin access needed to trigger the zero-day.

Before upgrading, Cisco tells administrators to run the request admin-tech command from each control component in their SD-WAN deployment to preserve any indicators of compromise for later forensic investigation. To check whether a system has already been targeted, administrators should inspect the /var/log/scripts.log file for suspicious attempts to upload tenant configuration data to vSmart controllers.

Why SD-WAN Matters

Cisco Catalyst SD-WAN is deployed across enterprise networks, ISPs, government agencies, and critical infrastructure operators globally. The SD-WAN Manager is the administrative brain of these deployments — it controls routing policies, quality-of-service rules, and security policies across potentially thousands of connected edge devices.

Compromise of the manager does not just affect one device. It gives attackers leverage over the entire network fabric. The confirmation that exploit activity has already resulted in configuration changes being pushed to edge devices means this is not a theoretical enterprise risk — it is an active incident playing out at organizations that have not yet applied mitigations.

If your organization runs Cisco Catalyst SD-WAN Manager, treat this as a P1. Audit your logs, preserve forensic state before patching, and upgrade immediately to versions that address the prerequisite vulnerabilities.

Source: BleepingComputer | HelpNetSecurity

zero-dayvulnerabilitysecurityenterprisecisconetworksd-wan
Share: