CVE-2026-20245 High No Patch

CVE-2026-20245: Cisco Catalyst SD-WAN Manager CLI Command Injection — Unpatched Root Privilege Escalation

Vuln Brief Research Team · · CVSS 7.8

CVE Details

CVE ID CVE-2026-20245
CVSS Score 7.8
Severity High
Vendor Cisco
Product Catalyst SD-WAN Manager
Patch Status Not Available
Published June 10, 2026
EPSS Score 0.4%
CISA Patch Deadline July 1, 2026

Background

Cisco Catalyst SD-WAN Manager (formerly Cisco vManage) is the centralised management and orchestration platform for Cisco’s SD-WAN fabric. It provides a single pane of glass for configuring, monitoring, and managing all SD-WAN edge devices — routers, gateways, and WAN aggregation nodes — across an organisation’s distributed network. Enterprise deployments span financial services, healthcare, retail, and government, where SD-WAN Manager acts as the authoritative source of network policy for potentially thousands of edge devices.

CVE-2026-20245 is a command injection vulnerability in the SD-WAN Manager CLI that allows an authenticated attacker with netadmin-level privileges to execute arbitrary operating system commands as the root user. The vulnerability was discovered by Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan, and reported to Cisco. CISA added CVE-2026-20245 to the Known Exploited Vulnerabilities catalogue on June 9, 2026.

No patch is currently available. Cisco is still working on a fix. This is an unpatched zero-day with confirmed active exploitation.

Technical Mechanism

The vulnerability exists in the SD-WAN Manager CLI’s handling of user-supplied input during file upload operations. The root cause is classified as CWE-78 (Improper Neutralisation of Special Elements used in an OS Command — “OS Command Injection”): the application constructs an OS command using user-controlled input and fails to adequately neutralise shell metacharacters before passing that input to the operating system.

An attacker with netadmin privileges can craft a file upload request to the CLI that embeds shell metacharacters or command sequences in input parameters that are subsequently incorporated into a system command. Because the SD-WAN Manager process handling this operation runs with elevated privileges, the injected commands execute as root.

The practical exploitation path:

  1. Obtain netadmin access: The attacker must authenticate to SD-WAN Manager with netadmin-level privileges. This is a non-trivial requirement — netadmin is an operator-tier role above basic user access. However, Cisco has documented a chaining path: CVE-2026-20182 and CVE-2026-20127 are separate SD-WAN Manager vulnerabilities that can be used to escalate from lower-privileged access to netadmin, making the effective barrier lower in environments where those vulnerabilities are also present.

  2. Submit crafted file upload via CLI: With netadmin access, the attacker submits a specially crafted file upload command through the SD-WAN Manager CLI. The insufficient input validation allows the injected OS commands to pass through to the underlying shell.

  3. Root command execution: The injected commands execute with root privileges on the SD-WAN Manager host, giving the attacker full control of the management server.

  4. Downstream impact — edge device compromise: An attacker with root access to SD-WAN Manager can modify device templates and push configuration changes to all managed edge devices. Cisco has confirmed in-the-wild exploitation where attackers leveraged this to push malicious configurations to SD-WAN edge routers, effectively taking over the managed WAN fabric from a single initial compromise.

Real-World Exploitation Evidence

CISA added CVE-2026-20245 to the Known Exploited Vulnerabilities catalogue on June 9, 2026, with a remediation deadline of June 23, 2026. Active exploitation was confirmed before the patch cycle completed — this is a live zero-day with no vendor patch.

Cisco’s advisory states the company has observed exploitation in which successful command injection on SD-WAN Manager was followed by configuration changes being pushed to managed edge devices. This post-exploitation behaviour is consistent with a threat actor attempting to maintain persistent access across the entire SD-WAN fabric through a single management-plane compromise, rather than targeting individual edge devices directly.

The discovery by Google Mandiant researchers suggests the vulnerability may have been identified during incident response or threat intelligence analysis of active intrusion campaigns targeting SD-WAN infrastructure. Mandiant has historically identified SD-WAN management platforms as high-value targets for nation-state and sophisticated financially-motivated actors, given the network-wide visibility and control they provide.

No specific threat actor or campaign attribution for CVE-2026-20245 has been publicly confirmed at time of writing.

Impact Assessment

CVE-2026-20245 carries a CVSSv3.1 base score of 7.8 (HIGH):

  • Attack vector: Local (CLI-based exploitation)
  • Attack complexity: Low — once netadmin credentials are obtained, exploitation is straightforward
  • Privileges required: Low (netadmin is a legitimate operator-tier role)
  • User interaction: None
  • Impact: Complete — confidentiality, integrity, and availability of the SD-WAN Manager host

The “local” attack vector classification reflects that the CLI is the primary exploitation path. However, the SD-WAN Manager web API and remote management interfaces provide authenticated network access that effectively extends the reach of this vulnerability to remote attackers who have obtained or compromised netadmin credentials.

The downstream impact is the most significant dimension of this vulnerability. SD-WAN Manager is not merely a management host — it is the configuration authority for the entire SD-WAN fabric. Root access to SD-WAN Manager translates to the ability to:

  • Read all network configuration, routing policy, and VPN topology for the entire organisation
  • Push arbitrary configuration changes to all edge devices
  • Disrupt WAN connectivity across the managed fabric
  • Establish persistent access via configuration backdoors in edge device templates
  • Extract credentials and authentication material stored in the management platform

Affected Versions

ComponentAffected VersionsNotes
Cisco Catalyst SD-WAN ManagerAll versions in active useNo fixed release available
Deployment typesOn-premises, Cloud-Pro, Cloud (Cisco Managed), FedRAMPAll deployment models affected

Patch status: Cisco has not yet released a fixed software version. Cisco’s advisory (cisco-sa-sdwan-privesc-4uxFrdzx) is the authoritative source for patch availability updates. Monitor this advisory actively.

Chaining risk: CVE-2026-20245 can be chained with CVE-2026-20182 and CVE-2026-20127 (separate SD-WAN Manager privilege escalation vulnerabilities) to construct a lower-privilege-to-root escalation path. All three should be treated as a combined risk surface.

Remediation Steps

No patch is available. Until Cisco releases a fix, containment must focus on access control and monitoring.

Immediate priority actions:

Restrict netadmin access aggressively. Audit all accounts with netadmin-level privileges on SD-WAN Manager. Apply the principle of least privilege — operators who do not require netadmin access should be downgraded. Enforce MFA on all remaining netadmin accounts without exception.

Isolate SD-WAN Manager from untrusted network access. SD-WAN Manager should never be internet-accessible. Ensure management access is restricted to trusted administrative networks or requires VPN with strong authentication. Review firewall rules for any exposure of the management interface to broader corporate networks or internet-facing zones.

Disable CLI access where not required. If direct CLI access to SD-WAN Manager is not required for daily operations, restrict or disable it. REST API and web UI access should be the primary interface for most operators.

Monitor for chaining with CVE-2026-20182 and CVE-2026-20127. If those vulnerabilities are also present in your environment, treat them as components of a single attack path. Review whether any compensating controls apply to both.

Engage Cisco TAC. Cisco is actively working on a patch and may have unpublished guidance or interim mitigations for supported customers. Open a case with Cisco TAC and monitor the advisory.

Apply the CISA KEV deadline context. Federal agencies are required to remediate by June 23, 2026. For non-federal organisations, the CISA deadline is a reasonable target for completing access control hardening and monitoring deployment even in the absence of a patch.

Detection Guidance

Detecting active exploitation of CVE-2026-20245 requires visibility into SD-WAN Manager host processes and configuration change events.

OS-level process monitoring on SD-WAN Manager: Enable process auditing on the SD-WAN Manager host. Look for unexpected child processes spawned by the SD-WAN Manager service — particularly shell processes (bash, sh), or network utilities launched by the application process. If you have EDR coverage on the SD-WAN Manager host, this is the primary detection surface.

Configuration change audit logging: SD-WAN Manager maintains an audit log of all template pushes and configuration changes. Review logs for configuration changes applied to edge devices originating from unexpected administrator accounts or at unusual times. In particular, look for template modifications that add user accounts, change authentication settings, introduce tunnels, or modify routing policy in ways inconsistent with normal operational change patterns.

Netadmin authentication review: Review authentication logs for SD-WAN Manager, focusing on netadmin account logins. Flag logins from unusual source IPs, at unusual hours, or with abnormal session patterns. Credential compromise is the prerequisite for exploitation.

Edge device configuration drift: Compare the running configuration of SD-WAN edge devices against your known-good baseline. Unexpected configuration elements — particularly anything related to remote access, authentication, or routing — may indicate post-exploitation configuration push from a compromised SD-WAN Manager.

Sigma rule — unexpected root process from SD-WAN Manager:

title: Unexpected Root Process Spawned by Cisco SD-WAN Manager
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|contains: 'vmanage'
    User: 'root'
  filter_expected:
    Image|contains:
      - '/usr/bin/vmanage'
      - '/opt/cisco/vmanage'
  condition: selection and not filter_expected
falsepositives:
  - Legitimate maintenance operations — verify against change records
level: high

Timeline

DateEvent
2026 (undisclosed)CVE-2026-20245 discovered by Google Mandiant (Chester Sng, Pete Boonyakarn, Logeswaran Nadarajan)
June 2026Active exploitation observed; configuration changes pushed to edge devices
June 9, 2026CISA adds CVE-2026-20245 to KEV catalogue; Cisco advisory published (cisco-sa-sdwan-privesc-4uxFrdzx)
June 23, 2026CISA KEV remediation deadline for federal agencies
TBDCisco patch expected; monitor advisory for fixed release

References

Tags

ciscosd-wancatalystcommand-injectionprivescrootcisa-kevno-patchenterprise-networkwan

Related Analysis

CVE-2026-10520 Critical

CVE-2026-10520: Ivanti Sentry — Pre-Authentication OS Command Injection (CVSS 10.0)

Ivanti

CVE-2026-35273 Critical

CVE-2026-35273: Oracle PeopleSoft PeopleTools — Missing Authentication Enabling Unauthenticated Takeover

Oracle

CVE-2026-11645 High

CVE-2026-11645: Google Chromium V8 Out-of-Bounds Read/Write — Actively Exploited Browser RCE

Google