Cisco's SD-WAN Zero-Day Exploited: High-Severity Flaw Allows Root Command Execution

Summary

Cisco's Catalyst SD-WAN Manager, a critical component for managing up to 6,000 devices from a single dashboard, is currently under threat due to a high-severity vulnerability (CVE-2026-20245). This flaw allows authenticated local attackers with netadmin privileges to execute arbitrary commands as root by uploading a crafted file. The exploitation of this vulnerability has been observed in limited cases, resulting in configuration changes pushed to edge devices. Cisco has not yet released patches for CVE-2026-20245 but advises customers to collect admin-tech files before upgrading to help identify potential compromises.

What Happened

The vulnerability stems from insufficient validation of user-supplied input within the CLI of Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vManage. Attackers can exploit this flaw by uploading a crafted file, leading to command injection attacks and privilege escalation to root. To exploit this vulnerability, attackers need netadmin privileges on the affected system, which can be obtained through compromised credentials or exploitation of other vulnerabilities like CVE-2026-20182 and CVE-2026-20127.

Technical Details

The core issue lies in the inadequate validation of user-supplied input within the CLI. This allows attackers to upload a crafted file that performs command injection attacks on the system, ultimately elevating their privileges to root. Cisco's advisory highlights that while the company is not aware of successful exploitation by other methods, it has observed limited cases where this vulnerability led to configuration changes being pushed to edge devices.

Affected Products and Fixed Versions

This vulnerability affects all deployment types of Cisco Catalyst SD-WAN Manager, including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). Cisco has not yet released a fixed software version but recommends customers to upgrade to the software that addresses CVE-2026-20182, which was published on May 14, 2026.

Exploitation Status

CVE-2026-20245 is actively exploited in the wild. Cisco's Product Security Incident Response Team (PSIRT) became aware of its exploitation in June after reports from Google Cloud cybersecurity subsidiary Mandiant. While no detailed information about the attacks has been shared, Cisco has provided indicators of compromise to help customers identify potential breaches.

Indicators of Compromise

Customers are advised to audit the /var/log/scripts.log file for suspicious entries that may indicate an attempt to exploit this vulnerability. An example entry includes:

Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0

These entries are legitimate commands, and logs cannot distinguish between legitimate and malicious use. Customers should issue the request admin-tech command from each control component in their SD-WAN deployment before upgrading to preserve possible indicators of compromise.

Detection Opportunities

Security teams can detect potential exploitation by monitoring for unusual activities in the /var/log/scripts.log file. Regular audits of this log can help identify unauthorized configuration changes or attempts to upload tenant configuration data to vSmart controllers. Additionally, retaining relevant logs before and after upgrading software is crucial for verifying system integrity.

Timeline

• May 14, 2026: Cisco published a security advisory documenting the vulnerability and recommended actions.
• June 2026: Cisco's PSIRT became aware of CVE-2026-20245 exploitation through reports from Mandiant.
• Ongoing: Cisco has not yet released patches for this vulnerability but advises customers to collect admin-tech files before upgrading.

Why This Matters for Defenders

This vulnerability highlights the critical importance of validating user-supplied input and maintaining robust access controls within network management software. The ability of attackers to escalate privileges to root poses a significant threat, potentially allowing them to manipulate network configurations and compromise edge devices. For defenders, this underscores the need for continuous monitoring, timely patching, and thorough incident response planning.

What Remains Unclear

• Patch Availability: Cisco has not yet released patches for CVE-2026-20245.
• Exploitation Methods: While netadmin privileges are required, the full extent of other potential exploitation methods remains unclear.
• Impact Assessment: The exact impact and scope of observed exploitations are not fully detailed.

Defender Guidance

1. Collect Admin-Tech Files: Before upgrading, issue the request admin-tech command from each control component in your SD-WAN deployment to collect necessary files for review.
2. Audit Logs: Regularly audit the /var/log/scripts.log file for suspicious entries that may indicate exploitation attempts.
3. Monitor Network Activity: Implement continuous monitoring of network activity to detect unusual patterns or unauthorized access attempts.
4. Verify Configurations: After upgrading, verify system configurations and check logs for indicators of compromise to ensure no breaches have occurred.
5. Stay Informed: Keep abreast of any updates from Cisco regarding patches and additional advisories related to this vulnerability.