Zero‑Day in Cisco Catalyst SD‑WAN Manager (CVE‑2026‑20245) Enables Root Privilege Escalation
What It Is — Cisco disclosed a high‑severity, unpatched zero‑day (CVE‑2026‑20245) in the Catalyst SD‑WAN Manager that allows a local attacker with net‑admin rights to execute arbitrary commands as root. Active exploitation has been observed in the wild.
Exploitability — Exploits are confirmed in the wild; a proof‑of‑concept exists via crafted file upload. CVSS v3.1 score ≈ 9.8 (Critical).
Affected Products — Cisco Catalyst SD‑WAN Manager (on‑prem, SD‑WAN Cloud‑Pro, Cisco‑Managed Cloud, FedRAMP‑authorized SD‑WAN).
TPRM Impact — Organizations that rely on Cisco SD‑WAN as a managed service or embed it in their own network stack face immediate risk of network control compromise, potential downstream service disruption for customers, and exposure of internal traffic flows.
Recommended Actions —
- Verify whether any Cisco SD‑WAN Manager instances are running a vulnerable version.
- Apply the interim mitigation: upgrade to the version that patches CVE‑2026‑20182 (released May 14) and restrict net‑admin access.
- Collect and review
/var/log/scripts.logfor the IOC pattern shown by Cisco. - Open a case with Cisco TAC and obtain the latest admin‑tech files for forensic analysis.
- Prioritize patch deployment as soon as Cisco releases a fix for CVE‑2026‑20245.