Full Report
Cisco has warned that a high-severity security flaw impacting Catalyst SD-WAN Manager has come under active exploitation. The vulnerability, tracked as CVE-2026-20245, carries a CVSS score of 7.8 out of a maximum of 10.0. It affects the following deployment types - On-Prem Deployment Cisco SD-WAN Cloud-Pro Cisco SD-WAN Cloud (Cisco Managed) Cisco SD-WAN for Government (FedRAMP) "A
Analysis Summary
# Vulnerability: Cisco Catalyst SD-WAN Manager Command Injection & Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2026-20245
- **CVSS Score:** 7.8 (High)
- **CWE:** Improper Validation of User-Supplied Input (Command Injection)
## Affected Systems
- **Products:** Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage)
- **Versions:** All versions currently in deployment types listed below.
- **Configurations:**
- On-Prem Deployment
- Cisco SD-WAN Cloud-Pro
- Cisco SD-WAN Cloud (Cisco Managed)
- Cisco SD-WAN for Government (FedRAMP)
## Vulnerability Description
A vulnerability exists in the Command Line Interface (CLI) of the Cisco Catalyst SD-WAN Manager due to insufficient validation of user-supplied input. An authenticated attacker with **netadmin** privileges can exploit this by uploading a specially crafted file to the system. Successful exploitation allows the attacker to perform command injection and execute arbitrary commands with **root** privileges.
## Exploitation
- **Status:** Exploited in the wild (Limited active exploitation observed).
- **Complexity:** Low (Targeting users with existing high-level privileges).
- **Attack Vector:** Local (Requires authenticated CLI access).
- **Note:** While the vector is local, attackers are chaining this with remote authentication bypass flaws (CVE-2026-20182 or CVE-2026-20127) to gain the necessary credentials.
## Impact
- **Confidentiality:** High (Root-level access to the Manager).
- **Integrity:** High (Ability to push configuration changes to edge devices).
- **Availability:** High (Full control over the SD-WAN management plane).
## Remediation
### Patches
- **No patches are currently available** for CVE-2026-20245 as of June 6, 2026.
### Workarounds
- There are no specific workarounds for the vulnerability itself.
- **Critical Mitigation:** Users must immediately patch for **CVE-2026-20182** (released May 14, 2026). This prevents the remote authentication bypass used to gain the "netadmin" privileges required to exploit CVE-2026-20245.
## Detection
Users should inspect the `/var/log/scripts.log` file for suspicious entries involving script uploads or malicious file paths.
**Indicators of Compromise (IoCs):**
- `/usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv`
- Unusual activity involving `-cli path` arguments pointing to `/home/admin/`.
## References
- **Cisco Security Advisory:** hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx
- **The Hacker News Article:** hxxps[://]thehackernews[.]com/2026/06/cisco-catalyst-sd-wan-manager-cve-2026[.]html
- **Related Auth Bypass Info:** hxxps[://]thehackernews[.]com/2026/05/cisco-catalyst-sd-wan-controller-auth[.]html