Critical Privilege Escalation in Cisco SD‑WAN Manager (CVE‑2026‑20245) Enables Root Access Across All Deployments
What It Is – Cisco disclosed CVE‑2026‑20245, a file‑upload command‑injection flaw in Cisco Catalyst SD‑WAN Manager (formerly vManage). An attacker with netadmin privileges can execute arbitrary commands as the root user, potentially altering edge‑device configurations.
Exploitability – The vulnerability scores 7.8 (CVSS v3.1) and is actively exploitable once valid credentials are obtained. No public exploit code is known, but the flaw can be chained with previously disclosed credential‑theft bugs (CVE‑2026‑20182, CVE‑2026‑20127). No patch or workaround is currently available.
Affected Products – Cisco Catalyst SD‑WAN Manager across all deployment models: on‑premises, Cisco SD‑WAN Cloud‑Pro, Cisco‑managed cloud, and FedRAMP‑authorized environments.
TPRM Impact –
- Core network control plane compromise can cascade to downstream SaaS and cloud services used by third‑party vendors.
- Unauthorized configuration changes may disrupt business continuity for customers relying on the SD‑WAN fabric.
- Absence of a fix forces organizations to operate with a high‑severity, unmitigated risk, complicating supplier risk assessments.
Recommended Actions –
- Enforce strict netadmin credential hygiene (rotate passwords, enable MFA, audit privileged accounts).
- Run the Cisco “admin‑tech” diagnostic on every SD‑WAN component immediately, as advised in the May 14 advisory.
- Continuously monitor
/var/log/scripts.logforvconfd_script_upload_tenant_list.shentries and compare against a known‑good baseline. - Open a TAC case for any suspected compromise and follow Cisco’s remediation guidance.
- Prioritize upgrade to the forthcoming patched release; consider network segmentation to limit the blast radius of a potential breach.
Source: Security Affairs – Cisco SD‑WAN Has a New Root‑Level Problem, and There’s No Fix Yet