Cisco has issued an urgent security advisory after confirming active exploitation of a newly discovered vulnerability affecting its Catalyst SD-WAN Manager platform. The flaw, identified as CVE-2026-20245, currently has no available security patch, raising concerns for organizations using affected SD-WAN deployments.
The vulnerability carries a CVSS severity rating of 7.8 and impacts multiple Cisco SD-WAN environments, including on-premises installations, Cloud-Pro deployments, Cisco-managed cloud services, and government-focused FedRAMP implementations.
According to Cisco, the security issue exists within the command-line interface (CLI) component of Catalyst SD-WAN Manager, previously known as SD-WAN vManage. The flaw stems from inadequate validation of user-provided input, allowing a malicious actor with sufficient privileges to upload a specially crafted file and execute arbitrary commands with root-level access.
Privilege Escalation Through Crafted File Uploads
Security researchers explain that attackers can exploit the vulnerability through command injection techniques. Successful exploitation enables elevated privileges, potentially granting complete control over the affected system.
Cisco noted that attackers must already possess netadmin-level access to leverage the flaw. Such access could be obtained using legitimate credentials or by exploiting previously disclosed authentication bypass vulnerabilities, including CVE-2026-20182 and CVE-2026-20127.
Connection to Earlier Cisco Security Flaws
The newly disclosed vulnerability follows a series of security incidents involving Cisco SD-WAN products this year. Earlier vulnerabilities, including CVE-2026-20182 and CVE-2026-20127, allowed unauthorized attackers to bypass authentication controls and gain administrative access to vulnerable systems.
Cybersecurity researchers previously linked exploitation of CVE-2026-20127 to a threat activity cluster known as UAT-8616, with attacks reportedly dating back several years. Both authentication bypass vulnerabilities have been observed in real-world attacks, increasing concern about their role in facilitating exploitation of the latest flaw.
Evidence of Active Exploitation
Cisco reported observing a limited number of incidents in which attackers successfully exploited CVE-2026-20245 to modify configurations distributed to SD-WAN edge devices. The company has not publicly identified the threat actors responsible for the attacks.
The vulnerability was discovered and responsibly disclosed by security researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan of Google Mandiant.
No Fix Available Yet
At the time of disclosure, Cisco had not released a software patch or workaround for CVE-2026-20245. Organizations are advised to ensure that previously released updates addressing CVE-2026-20182 and related vulnerabilities have been applied across their environments.
Security teams should also review systems exposed to the internet, as these deployments face a higher risk of compromise.
Recommended Monitoring and Detection Measures
Cisco recommends administrators inspect system logs for unusual file upload activities and command execution events. Particular attention should be given to entries within the /var/log/scripts.log file, where suspicious script execution or unauthorized upload operations may indicate compromise attempts.
Organizations should strengthen access controls, limit administrative privileges, and continuously monitor SD-WAN infrastructure for abnormal behavior until an official patch becomes available.
Growing Number of Exploited Cisco SD-WAN Vulnerabilities
CVE-2026-20245 marks the seventh Cisco SD-WAN vulnerability confirmed to be actively exploited during 2026. The trend highlights the increasing focus of threat actors on networking and infrastructure management platforms that provide access to critical enterprise environments.
The disclosure comes shortly after Cisco addressed another high-severity vulnerability in Unified Communications Manager, tracked as CVE-2026-20230. While proof-of-concept exploit code for that flaw is publicly available, Cisco has stated that there is currently no evidence of active attacks targeting it.
As cybercriminals continue to target enterprise networking solutions, organizations are encouraged to maintain rigorous patch management practices, enforce least-privilege access policies, and monitor vendor advisories for emerging threats.
