Cisco is dealing with yet another zero-day in its SD-WAN product line. The company disclosed on Thursday that CVE-2026-20245 is being actively exploited in the wild — making it the seventh Cisco SD-WAN vulnerability with confirmed exploitation in 2026. There’s no patch yet.
The Vulnerability
CVE-2026-20245 lives in the command-line interface of Cisco Catalyst SD-WAN Manager. It’s a command injection flaw rooted in insufficient validation of user-supplied input. An attacker who’s already authenticated with ‘netadmin’ privileges can upload a crafted file and execute arbitrary commands as root on the affected system.
Now, the bar for exploitation isn’t trivial — you need netadmin access first. But Cisco itself points out that this access can be obtained by compromising credentials or by chaining other SD-WAN vulnerabilities. Two earlier flaws — CVE-2026-20182 and CVE-2026-20127 — were both exploited this year and could serve as the entry point for an attacker to reach the privilege level needed for CVE-2026-20245.
Cisco says it’s seen “limited cases” where exploitation of this bug resulted in configuration changes pushed to edge devices. That’s a significant detail: this isn’t just about compromising a management console. An attacker who gets root on the SD-WAN Manager can potentially push malicious configurations out to every edge device in the network.
The Attribution Trail
The vulnerability was reported to Cisco by Mandiant, which suggests a serious threat actor is behind the exploitation. Cisco’s PSIRT learned about the in-the-wild attacks in June and moved quickly to disclose. The company has released indicators of compromise but hasn’t shared details about the threat actor or the targeted organizations.
Earlier this year, a group tracked as UAT-8616 exploited CVE-2026-20127 and CVE-2026-20182 in Cisco SD-WAN products. Whether the same group is behind the CVE-2026-20245 exploitation isn’t confirmed, but the pattern is concerning — sophisticated attackers are clearly focused on Cisco’s SD-WAN stack.
What You Should Do
If you’re running Cisco Catalyst SD-WAN Manager, there’s no patch and no workaround available right now. Your immediate steps: review all netadmin accounts for signs of compromise, audit recent file uploads to the system, check for unexpected configuration changes on edge devices, and monitor Cisco’s advisory for the patch release. Make sure you’ve applied fixes for CVE-2026-20182 and CVE-2026-20127 if you haven’t already — those flaws can be the stepping stone to exploiting this one.
Also pull and analyze the IoCs Cisco has made available. If you find matches in your environment, treat it as an active incident and begin your response process immediately.
The Pattern Is the Problem
Seven zero-days exploited in the wild in six months. That’s not just bad luck — it suggests either a fundamental architectural issue in Cisco’s SD-WAN products or a highly resourced adversary specifically targeting this stack. Probably both. Cisco has been patching aggressively, but the pace of discovery isn’t slowing down. Organizations running SD-WAN Manager should assume that additional zero-days will emerge and plan their defensive posture accordingly — network segmentation, strict access controls, and continuous monitoring of the management plane aren’t optional anymore.
