Cisco just disclosed its seventh actively exploited SD-WAN zero-day of 2026, and there’s no fix available yet. The vulnerability — CVE-2026-20245 — lets an attacker with basic admin access run arbitrary commands as root on Cisco Catalyst SD-WAN Manager systems, effectively handing them the keys to the kingdom.
How the Attack Works
The flaw lives in the command-line interface of Cisco Catalyst SD-WAN Manager. It’s an input validation problem: an attacker with ‘netadmin’ privileges can upload a specially crafted file and inject commands that execute as root. Cisco says the attacker needs those netadmin credentials first, but that’s not much of a barrier — they can be stolen, or obtained by chaining other SD-WAN vulnerabilities like CVE-2026-20182 or CVE-2026-20127, both of which were also exploited in the wild this year.
Once inside, the attacker can push malicious configuration changes to edge devices across the entire SD-WAN deployment. Cisco has already observed limited cases of exactly this happening.
The Bigger Pattern
Seven zero-days in one product line in a single year isn’t a coincidence — it’s a systemic problem. Cisco’s SD-WAN platform has become a high-value target, and threat actors are clearly investing serious effort into finding cracks. The group tracked as UAT-8616 has been particularly active, previously exploiting CVE-2026-20127 and CVE-2026-20182 to breach SD-WAN systems. This latest bug was reported by Mandiant, which suggests professional threat intelligence teams are tracking the exploitation closely.
What’s especially concerning is the timeline. Cisco’s PSIRT learned about active exploitation in June and rushed to disclose it — meaning attackers had a head start. And with no workaround available, organizations are stuck waiting for a patch while potentially exposed.
What You Should Do Right Now
If you’re running Cisco Catalyst SD-WAN Manager, audit your netadmin accounts immediately. Look for any unauthorized access, unusual file uploads, or unexpected configuration changes pushed to edge devices. Cisco has published indicators of compromise — pull those and run them against your logs.
Restrict CLI access to only those who absolutely need it. Monitor for any use of the file upload functionality. And keep a very close eye on Cisco’s advisory for the patch release date.
What’s Next
Cisco says patches will come in a future Catalyst SD-WAN Manager release, but hasn’t committed to a date. Given that this is the seventh zero-day in this product line this year, organizations should seriously evaluate whether their SD-WAN management interfaces are adequately segmented and monitored. The pattern suggests more will come.
