Cisco has disclosed a new zero-day vulnerability, tracked as CVE-2026-20245, that affects Cisco Catalyst SD-WAN Manager. The flaw has already been exploited in real-world attacks before a security update was available. According to Cisco, the issue allows attackers to gain root-level access, giving them complete control over the affected system once the attack succeeds. This vulnerability impacts organizations that rely on Cisco SD-WAN to manage their enterprise networks.
The vulnerability exists because the software does not properly validate user-supplied input during a file upload process. An attacker with NetAdmin privileges can upload a specially crafted file that triggers command injection on the device. If the attack is successful, the malicious user can execute commands as the root user, which is the highest level of privilege available on the operating system. This level of access can allow full control over the SD-WAN Manager.
Cisco confirmed that the vulnerability is not an initial access flaw by itself. Before exploiting CVE-2026-20245, attackers must already have NetAdmin privileges on the target device. Those privileges may be obtained using valid stolen credentials or by exploiting previously disclosed Cisco SD-WAN vulnerabilities, including CVE-2026-20182 and CVE-2026-20127. Cisco stated that it has not observed any successful attacks using other methods to exploit this vulnerability.
Security researchers from Mandiant discovered the attacks while investigating a targeted intrusion involving a service provider. During the investigation, they found that attackers used the zero-day flaw to elevate privileges from an already compromised administrator account to full root access. After gaining complete control, the attackers removed malicious files, cleaned up system changes, and deleted evidence in an attempt to hide their activities and make detection more difficult.
Cisco said the vulnerability affects all deployment models of Cisco Catalyst SD-WAN Manager. This includes on-premises installations, Cloud-Pro deployments, Cisco Managed Cloud environments, and FedRAMP Government Cloud deployments. Since SD-WAN Manager controls network configurations across many branch offices and remote locations, a successful compromise can have a much wider impact than a single device, potentially affecting the entire managed network infrastructure.
At the time Cisco first disclosed the vulnerability, no software patch or workaround was available to stop exploitation. The company instead advised customers to collect diagnostic data, review published indicators of compromise, and inspect systems for signs of unauthorized activity. Cisco also recommended checking whether attackers had pushed unexpected configuration changes to managed edge devices, as these could indicate that the management platform had already been compromised.
Network administrators are encouraged to protect privileged accounts by enforcing strong authentication, limiting administrative access, and monitoring file uploads and system logs for suspicious behavior. Organizations should also ensure that previously disclosed Cisco SD-WAN vulnerabilities are fully patched because attackers may chain older flaws with CVE-2026-20245 to gain the required administrative privileges before escalating to root access.
Cisco has since acknowledged the seriousness of the attacks and credited Mandiant for responsibly reporting the vulnerability. The company is working to provide security updates and continues to publish guidance for affected customers. Security experts recommend applying Cisco’s fixes as soon as they become available and conducting a full incident response investigation if there is any indication that a Cisco Catalyst SD-WAN Manager system has already been compromised.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
