Zero-Day in Cisco SD-WAN Manager Enables Root Takeover – No Patch Available

Published Date: June 5, 2026
Category: ShadowOpsIntel
Share:

On June 4, 2026, Cisco published a high-severity security advisory detailing an authenticated, local privilege escalation vulnerability within the Command Line Interface (CLI) of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). The vulnerability arises from improper input validation, which permits command injection attacks. Cisco PSIRT has confirmed active exploitation in the wild as of June 2026, noting that successful exploitation has occasionally led to unauthorized configuration modifications being pushed down to edge devices.

Severity: High

Vulnerability Overview

  • CVE ID: CVE-2026-20245
  • Weakness Type: CWE-116 (Improper Encoding/Escaping of Output)
  • CVSS Score: 7.8
  • Exploitation Status: Active in the wild (Observed June 2026)
  • Affected Products:

The vulnerability affects Cisco Catalyst SD-WAN Manager, regardless of device configuration.

Affected deployment types:

  • On-Prem Deployment
  • Cisco SD-WAN Cloud-Pro
  • Cisco SD-WAN Cloud (Cisco Managed)
  • Cisco SD-WAN for Government (FedRAMP)

Vulnerability Analysis & Attack Chain

  • Mechanism: The flaw exists within the CLI component due to insufficient validation of user-supplied input.
  • Attack Vector: An attacker must upload a crafted file to the affected system. This triggers a command injection flaw, granting arbitrary command execution as the root user.
  • Prerequisites / Exploitation Requirements:
    • The attacker requires a local vector with netadmin privileges on the SD-WAN Manager system.
    • To obtain these privileges, threat actors have been observed utilizing valid credentials or chains involving the exploitation of precursor vulnerabilities CVE-2026-20182 or CVE-2026-20127. Cisco reports no other known vectors for achieving the required privileges at this time.

Indicators Of Compromise

Monitor /var/log/scripts.log for entries resembling:

  • vmanage vScript: Tenant list upload per vsmart serial number:
  • /usr/bin/vconfd_script_upload_tenant_list.sh -cli path
  • /home/admin/.csv vpn 0

Note: These are legitimate command patterns defenders must baseline normal activity to distinguish malicious use. No dedicated malicious signature exists.

Recommendations

  1. Patch: No fix available yet; monitor Cisco’s advisory for updates.
  2. Pre-upgrade, run request admin-tech on all SD-WAN control components to preserve forensic artifacts.
  3. Post-upgrade, review logs for IOCs before assuming clean state.
  4. If compromised, software update alone is insufficient. Engage Cisco TAC for specific remediation steps.

Source:

  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

×

7th August 2026

New Delhi, India

Know more
Talk to an expert