Critical Remote Code Execution in Cisco Catalyst SD‑WAN Manager (CVE‑2026‑20245) Actively Exploited – No Patch
What It Is – Cisco disclosed a high‑severity flaw (CVE‑2026‑20245) in its Catalyst SD‑WAN Manager that allows unauthenticated attackers to execute arbitrary code on the management plane. The vulnerability affects both on‑premises and cloud‑based SD‑WAN deployments.
Exploitability – Threat actors are already exploiting the bug in the wild; a proof‑of‑concept has been observed. The CVSS v3.1 base score is 7.8 (High). No vendor‑issued patch or mitigation exists at the time of writing.
Affected Products – Cisco Catalyst SD‑WAN Manager across the following deployment models:
- On‑Premises SD‑WAN Manager
- Cisco SD‑WAN Cloud‑Pro
- Cisco SD‑WAN Cloud (Cisco‑managed)
- Cisco SD‑WAN for Government (FedRAMP)
TPRM Impact – Organizations that rely on Cisco SD‑WAN as a critical networking layer face supply‑chain exposure: a compromised manager can pivot to downstream routers, alter traffic flows, and exfiltrate data, potentially disrupting services for multiple downstream customers.
Recommended Actions –
- Isolate any Cisco SD‑WAN Manager instances from the internet and restrict management access to trusted IPs.
- Enable strict logging and real‑time monitoring for anomalous API calls or configuration changes.
- Engage Cisco Account Teams immediately for any unofficial mitigations or temporary work‑arounds.
- Assess downstream dependencies (branch routers, firewalls, SaaS services) for lateral movement risk.
- Develop an incident‑response playbook that includes network segmentation and rapid rollback of SD‑WAN policies.
Source: The Hacker News