Cisco has disclosed yet another zero-day vulnerability in its SD-WAN products — the seventh to see active exploitation in 2026. The flaw, tracked as CVE-2026-20245, allows an attacker to execute arbitrary commands as root on affected Catalyst SD-WAN Manager systems, and there’s no patch available yet.
How the Attack Works
The vulnerability sits in the command-line interface of Cisco Catalyst SD-WAN Manager. It stems from insufficient validation of user-supplied input — a classic security mistake with serious consequences. An attacker with ‘netadmin’ privileges can upload a specially crafted file and inject commands that run with full root access.
Now, ‘netadmin’ privileges aren’t trivial to get. But here’s the thing — attackers don’t need to start from scratch. Cisco itself noted that credentials could be compromised through other known SD-WAN flaws, like CVE-2026-20182 or CVE-2026-20127, both of which were also exploited in the wild this year. It’s a chain: one flaw gets you in the door, this one gives you the keys to the kingdom.
A Pattern That Should Worry Everyone
Seven zero-days. In six months. That’s not a bad quarter — that’s a systemic problem. Cisco’s SD-WAN product line has become a magnet for sophisticated attackers, and the pace of disclosures shows no sign of slowing. Earlier this year, a threat actor tracked as UAT-8616 exploited multiple Cisco SD-WAN vulnerabilities in campaigns that Cisco described as ‘highly sophisticated.’ The group used CVE-2026-20127 and CVE-2026-20182 to break into systems before those were even patched.
This latest flaw was reported by Mandiant, which tells you something about the severity. Mandiant doesn’t typically get involved in low-stakes vulnerability research. Cisco’s PSIRT team learned about the active exploitation in June and moved quickly to disclose it, releasing indicators of compromise even though a fix isn’t ready.
What Organizations Should Do Right Now
There’s no workaround and no patch. That’s the brutal reality. But there are steps you can take immediately. First, audit who has netadmin access on your SD-WAN Manager systems — reduce that list to the absolute minimum. Second, monitor for the IoCs Cisco has published. Third, watch for any unexpected configuration changes pushed to edge devices, which Cisco says has already been observed in limited attacks.
If you’re running Cisco SD-WAN infrastructure, this isn’t a ‘wait and see’ situation. The attackers clearly have your playbook. It’s time to assume they’re already looking at your environment and act accordingly.
What’s Next
Cisco says patches will come in a future Catalyst SD-WAN Manager release, but hasn’t committed to a timeline. Given that this is the seventh zero-day of the year, pressure is mounting on Cisco to do more than just patch individual flaws — the architecture itself may need rethinking. In the meantime, expect more exploitation. When a zero-day gets disclosed without a patch, every threat actor on the internet starts scanning within hours. If you haven’t hardened your SD-WAN deployment yet, the clock is ticking.
