Critical Zero‑Day Privilege Escalation in Cisco Catalyst SD‑WAN Manager (CVE‑2026‑20245) Threatens Enterprise Networks
What It Is – A newly disclosed zero‑day (CVE‑2026‑20245) allows an attacker with netadmin privileges on Cisco Catalyst SD‑WAN Manager to upload a crafted file and execute arbitrary commands as root. The flaw stems from insufficient validation of CLI input.
Exploitability – Active exploitation observed in the wild; attackers must first obtain valid credentials or chain the exploit with CVE‑2026‑20182 or CVE‑2026‑20127. No patch or workaround is currently available; Cisco is working on a fix.
Affected Products – Cisco Catalyst SD‑WAN Manager (all deployment models: on‑prem, Cloud‑Pro, Cisco‑Managed Cloud, FedRAMP‑authorized Government).
TPRM Impact – The vulnerability can be leveraged to alter edge‑device configurations, potentially disrupting connectivity for any downstream third‑party services that rely on the SD‑WAN fabric. Organizations that embed Cisco SD‑WAN in their supply‑chain or as a managed service provider face heightened risk of service interruption and indirect exposure of customer data.
Recommended Actions –
- Immediately collect
admin-techlogs from every SD‑WAN control component before any upgrade. - Correlate collected logs with Cisco‑provided IOCs to detect possible compromise.
- Prioritize deployment of the interim fix for CVE‑2026‑20182 (the only available mitigation) and verify edge‑device configurations.
- Isolate any SD‑WAN nodes showing compromise indicators and engage Cisco TAC for bespoke remediation steps.
- Accelerate patch rollout once Cisco releases the official fix for CVE‑2026‑20245.
Source: Help Net Security