Cisco discloses 7th SD-WAN zero-day of 2026 (CVE-2026-20245) exploited for root on Catalyst SD-WAN Manager; no patch
Cisco disclosed CVE-2026-20245 on June 5, 2026, a privilege-escalation/command-injection zero-day in the command-line interface of Cisco Catalyst SD-WAN Manager, the seventh SD-WAN zero-day Cisco has confirmed exploited .
At a glance
- CVE-2026-20245 disclosed June 5, 2026; seventh Cisco SD-WAN zero-day confirmed exploited in 2026
- Authenticated attacker with 'netadmin' privileges can upload a crafted file and execute arbitrary commands as root
- No patch or workaround available at disclosure
- Cisco PSIRT observed 'limited cases' of unauthorized configuration changes pushed to edge devices
- Affects all deployment models: on-premises, Cloud-Pro, Cisco-Managed Cloud, Government
VERDICT — CONFIRMED
Cisco disclosed CVE-2026-20245 on June 5, 2026, a privilege-escalation/command-injection zero-day in the command-line interface of Cisco Catalyst SD-WAN Manager, the seventh SD-WAN zero-day Cisco has confirmed exploited in 2026. The flaw stems from insufficient validation of user-supplied input: an authenticated attacker holding 'netadmin' privileges can upload a crafted file and execute arbitrary commands as root. There was no patch or workaround available at disclosure.
Cisco's PSIRT confirmed active exploitation, observing 'limited cases' where exploitation resulted in unauthorized configuration changes being pushed to edge devices, a serious operational risk given SD-WAN Manager's role as the orchestration brain for distributed enterprise and government networks. The vulnerability affects all deployment models: on-premises, Cloud-Pro, Cisco-Managed Cloud, and Government. Critically, the bug chains with two earlier 2026 SD-WAN zero-days, CVE-2026-20182 and CVE-2026-20127, which attackers used to first obtain the netadmin foothold required to trigger CVE-2026-20245, evidence of a sustained, capable adversary methodically stacking Cisco SD-WAN flaws.
Mandiant discovered and reported the vulnerability to Cisco, an attribution that typically signals incident-response engagements at high-value or nation-state-targeted organizations. With no fix available, Cisco urged customers to collect admin-tech logs before any future upgrade, preserve evidence, hunt for unexplained configuration pushes to edge routers, and engage TAC if compromise is suspected. Seven exploited SD-WAN zero-days in under six months marks an extraordinary run against a single product family.
Key facts on file
- CVE-2026-20245 disclosed June 5, 2026; seventh Cisco SD-WAN zero-day confirmed exploited in 2026
- Authenticated attacker with 'netadmin' privileges can upload a crafted file and execute arbitrary commands as root
- No patch or workaround available at disclosure
- Cisco PSIRT observed 'limited cases' of unauthorized configuration changes pushed to edge devices
- Affects all deployment models: on-premises, Cloud-Pro, Cisco-Managed Cloud, Government
- Chains with earlier 2026 zero-days CVE-2026-20182 and CVE-2026-20127 used to obtain the netadmin foothold
- Mandiant discovered and reported the vulnerability
- Cisco urged collecting admin-tech logs, preserving evidence, hunting for unexplained config pushes, engaging TAC


