THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-2026-06-004
CYBER · cves zero days · 2026-06-05SCOOP 82

Cisco discloses 7th SD-WAN zero-day of 2026 (CVE-2026-20245) exploited for root on Catalyst SD-WAN Manager; no patch

Cisco disclosed CVE-2026-20245 on June 5, 2026, a privilege-escalation/command-injection zero-day in the command-line interface of Cisco Catalyst SD-WAN Manager, the seventh SD-WAN zero-day Cisco has confirmed exploited .

·FILED ISSUE 2026-06-05·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

At a glance

  • CVE-2026-20245 disclosed June 5, 2026; seventh Cisco SD-WAN zero-day confirmed exploited in 2026
  • Authenticated attacker with 'netadmin' privileges can upload a crafted file and execute arbitrary commands as root
  • No patch or workaround available at disclosure
  • Cisco PSIRT observed 'limited cases' of unauthorized configuration changes pushed to edge devices
  • Affects all deployment models: on-premises, Cloud-Pro, Cisco-Managed Cloud, Government

VERDICT — CONFIRMED

high confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
Cisco discloses 7th SD-WAN zero-day of 2026 (CVE-2026-20245) exploited for root on Catalys
Image via primary source

Cisco disclosed CVE-2026-20245 on June 5, 2026, a privilege-escalation/command-injection zero-day in the command-line interface of Cisco Catalyst SD-WAN Manager, the seventh SD-WAN zero-day Cisco has confirmed exploited in 2026. The flaw stems from insufficient validation of user-supplied input: an authenticated attacker holding 'netadmin' privileges can upload a crafted file and execute arbitrary commands as root. There was no patch or workaround available at disclosure.

Cisco's PSIRT confirmed active exploitation, observing 'limited cases' where exploitation resulted in unauthorized configuration changes being pushed to edge devices, a serious operational risk given SD-WAN Manager's role as the orchestration brain for distributed enterprise and government networks. The vulnerability affects all deployment models: on-premises, Cloud-Pro, Cisco-Managed Cloud, and Government. Critically, the bug chains with two earlier 2026 SD-WAN zero-days, CVE-2026-20182 and CVE-2026-20127, which attackers used to first obtain the netadmin foothold required to trigger CVE-2026-20245, evidence of a sustained, capable adversary methodically stacking Cisco SD-WAN flaws.

Mandiant discovered and reported the vulnerability to Cisco, an attribution that typically signals incident-response engagements at high-value or nation-state-targeted organizations. With no fix available, Cisco urged customers to collect admin-tech logs before any future upgrade, preserve evidence, hunt for unexplained configuration pushes to edge routers, and engage TAC if compromise is suspected. Seven exploited SD-WAN zero-days in under six months marks an extraordinary run against a single product family.

Key facts on file

  • CVE-2026-20245 disclosed June 5, 2026; seventh Cisco SD-WAN zero-day confirmed exploited in 2026
  • Authenticated attacker with 'netadmin' privileges can upload a crafted file and execute arbitrary commands as root
  • No patch or workaround available at disclosure
  • Cisco PSIRT observed 'limited cases' of unauthorized configuration changes pushed to edge devices
  • Affects all deployment models: on-premises, Cloud-Pro, Cisco-Managed Cloud, Government
  • Chains with earlier 2026 zero-days CVE-2026-20182 and CVE-2026-20127 used to obtain the netadmin foothold
  • Mandiant discovered and reported the vulnerability
  • Cisco urged collecting admin-tech logs, preserving evidence, hunting for unexplained config pushes, engaging TAC

PRIMARY SOURCE

Help Net Security — Zeljka Zorz (2026-06-05)
· fetched at filing · archived at publication
Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-2026-06-004 · filed 2026-06-05 · https://thedwire.com/wire/cyb-2026-06-004-cisco-discloses-7th-sd-wan-zero-day-of-2026-cve-2026-20245.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
May 2026 ransomware leak-site data: 661 attacks, ~115TB stolen; Qilin (97), The
CYBER · SCOOP 68

May 2026 ransomware leak-site data: 661 attacks, ~115TB stolen; Qilin (97), The Gentlemen (71), DragonForce (51) lead

Ransomware leak-site activity rose modestly in May 2026, with 661 incidents tracked globally (Comparitech data via Industrial Cyber), a 3% increase over April's 640, and nearly 115 TB of data claimed stolen across reported attacks. Qilin remained the most active operation with 97 claimed attacks, though down about 10% from April's 108; Th

✓ verifiedSOURCE ↗
READ THE FILE ›
Meta, Microsoft and DOJ-led strike force dismantles Southeast Asian scam-center
Meta
CYBER · SCOOP 71

Meta, Microsoft and DOJ-led strike force dismantles Southeast Asian scam-center infrastructure; 63 arrested

Meta, Microsoft, Coinbase, SpaceX and other technology companies announced a joint disruption of criminal scam networks in Southeast Asia alongside the U.S. Department of Justice, the FBI and the Royal Thai Police, in coordinated operations spanning Washington, D.C. and Bangkok. The action, unveiled overnight into June 4, followed the fir

✓ verifiednewSOURCE ↗
READ THE FILE ›
Critical Magento RCE CVE-2026-45247 in Mirasvit Cache Warmer exploited within da
CYBER · SCOOP 74

Critical Magento RCE CVE-2026-45247 in Mirasvit Cache Warmer exploited within days; CISA adds to KEV June 3

CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog on June 3, 2026, a critical (CVSS 9.8) PHP object-injection / deserialization-of-untrusted-data flaw in the Mirasvit Full Page Cache Warmer extension for Magento 2 (Adobe Commerce). Unauthenticated attackers can achieve remote code execution by supplying a crafted se

✓ verifiedSOURCE ↗
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.