Cisco has disclosed yet another zero-day vulnerability in its SD-WAN products — the seventh to see in-the-wild exploitation this year. This one, tracked as CVE-2026-20245, lets an attacker run arbitrary commands as root, and there’s no patch available yet.
The flaw lives in the command-line interface of Cisco Catalyst SD-WAN Manager. According to Cisco’s advisory, it stems from insufficient validation of user-supplied input. An attacker with ‘netadmin’ privileges can upload a crafted file that injects commands and escalates to full root access.
The Attack Chain
Here’s what makes this particularly concerning: an attacker needs netadmin-level access to pull this off. But Cisco itself acknowledges there are multiple ways to get that. Earlier in 2026, the threat actor tracked as UAT-8616 exploited CVE-2026-20127 and CVE-2026-20182 — both SD-WAN authentication bypass flaws — to gain unauthorized access to these exact systems. In other words, this latest vulnerability could be the second stage in a chain that starts with an authentication bypass and ends with full root command execution across your SD-WAN infrastructure.
Cisco says exploitation has been “limited” so far, observed in cases where attackers pushed configuration changes to edge devices. That’s corporate-speak for: someone rewrote your network settings, and we don’t know exactly who or why.
Mandiant Found It, Cisco Scrambled
The vulnerability was reported by Mandiant, and Cisco says its PSIRT learned about the exploitation in June — suggesting the disclosure was rushed. The company has released indicators of compromise but no patches, with fixes promised in a future Catalyst SD-WAN Manager release. No workarounds exist.
This is Cisco’s seventh SD-WAN zero-day of 2026. The list now includes CVE-2026-20122, CVE-2026-20127, CVE-2026-20128, CVE-2026-20133, CVE-2026-20182, and now CVE-2026-20245. An older bug, CVE-2022-20775, was also flagged for in-the-wild exploitation this year. The pattern is hard to miss: Cisco’s SD-WAN product line has become a high-value target, and defenders are stuck in a cycle of subscribe-alert-patch-repeat.
What You Should Do Right Now
If you’re running Cisco SD-WAN infrastructure, check for the published IoCs immediately. Audit your netadmin accounts — everyone on that list should be there legitimately. Monitor for unexpected configuration changes pushed to edge devices. And if you haven’t already segmented or restricted access to your Catalyst SD-WAN Manager, now would be the time.
There’s no patch to apply yet, so your options are detection and access control. Treat your SD-WAN management plane as compromised until you can verify otherwise.
What’s Next
With seven zero-days in roughly five months, Cisco’s SD-WAN story for 2026 is starting to look less like bad luck and more like a systemic problem focused by a dedicated threat actor or group. Security teams should assume more disclosures are coming. If UAT-8616 or another group is running a campaign against these systems, there are likely more vulnerabilities queued up. Plan accordingly.
