preloader

· security cisco cve network zero-day enterprise devops

Cisco Confirms Seventh SD-WAN Zero-Day of 2026: CVE-2026-20245 Is Being Exploited With No Patch in Sight

Source: The Hacker News

Cisco has issued an advisory confirming that CVE-2026-20245, a high-severity command injection vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, is being actively exploited. No patch exists and no workaround is available. The vulnerability has a CVSS score of 7.8 and affects every Cisco Catalyst SD-WAN deployment model: on-premises, Cloud-Pro, Cisco-Managed Cloud, and FedRAMP government environments.

This is the seventh Cisco SD-WAN zero-day confirmed exploited in 2026.

What the Vulnerability Does

CVE-2026-20245 is a command injection flaw in the SD-WAN Manager CLI. An attacker who already holds netadmin privileges on an affected system can upload a crafted file and execute arbitrary commands as root. The root cause is insufficient validation of user-supplied input in the CLI’s file-handling routines.

The privilege prerequisite is important context: this is not an unauthenticated remote code execution vulnerability. To exploit it, an attacker must first have valid netadmin credentials. However, Cisco’s advisory notes that observed exploitation has involved chaining this flaw with earlier SD-WAN vulnerabilities, specifically CVE-2026-20182 and CVE-2026-20127, which can be used to gain the necessary access level without a legitimately issued credential.

In confirmed incidents, attackers used the root access obtained through CVE-2026-20245 to push modified configurations to edge devices connected to the compromised SD-WAN Manager instance. That means the blast radius of a successful exploit is not confined to the Manager itself. It extends to every device in the SD-WAN fabric the Manager controls.

Why This Pattern Is Particularly Dangerous

SD-WAN Manager occupies a privileged position in network architecture. It is the control plane for branch connectivity, and in hybrid cloud environments it often manages routing policy for connections between on-premises networks and cloud VPCs. An attacker with root access and the ability to push configuration changes can redirect traffic, insert themselves into network paths, or create persistent access mechanisms that survive device reboots and standard incident response procedures.

The pattern of chaining SD-WAN vulnerabilities also reflects a shift in attacker tradecraft. Cisco disclosed six previous SD-WAN zero-days in 2026 before this one. Organisations that patched the earlier flaws but have not isolated or hardened their SD-WAN Manager deployment have still reduced their attack surface, but they have not eliminated it. An attacker with compromised third-party credentials, a phishing-obtained VPN session, or access to a vendor support account can still reach the SD-WAN Manager CLI.

No Patch, No Workaround: What Organisations Can Do Now

Cisco’s PSIRT has confirmed that no patch is available and no configuration workaround eliminates the vulnerability. The recommended response centres on three areas:

Harden access to SD-WAN Manager. Restrict CLI access to dedicated management networks with strict firewall rules. If CLI access is currently permitted from broad IP ranges or over the general corporate network, that exposure should be eliminated immediately. Multi-factor authentication on all netadmin accounts should be verified and enforced.

Preserve forensic evidence. Before making any changes to affected systems, capture current logs, running configurations, and forensic images where possible. Cisco’s guidance emphasises evidence preservation as a first step, partly because active exploitation may have already introduced persistence mechanisms that will be harder to identify after configuration changes are made.

Conduct a compromise review. Organisations should examine SD-WAN Manager audit logs for unexpected file uploads, unexpected configuration pushes to edge devices, and authentication events from unfamiliar source addresses or at unusual times. The key indicators are configuration changes that were not initiated by known administrators and successful CLI sessions that do not correspond to logged change-management activity.

Organisations that identify signs of compromise should engage Cisco TAC directly. Cisco has committed to working with confirmed victims on targeted remediation steps.

European Enterprise Exposure

SD-WAN deployments are common across European enterprises managing multi-site operations, retail branch networks, and hybrid cloud connectivity. Managed service providers that deliver SD-WAN as part of their networking portfolio are also in scope. For MSPs, a compromised SD-WAN Manager instance could expose not just their own infrastructure but the networks of every customer managed through that platform.

NIS2, which became enforceable across EU member states in 2025, requires covered entities to have measures in place for network and information system security, and to report significant incidents to national authorities. An SD-WAN compromise that results in traffic redirection or data exfiltration would qualify as a significant incident under most national NIS2 implementations. The obligation to notify competent authorities within 24 hours of an early warning and to submit a detailed incident report within 72 hours applies from the moment an organisation has reason to believe a significant incident has occurred.

The Broader SD-WAN Security Picture

Seven zero-days in a single product family in six months represents a sustained targeting pattern rather than isolated research findings. Threat intelligence from the observed exploitation cases suggests organised actors with specific interest in network control plane access. The ability to manipulate routing policy silently, without triggering conventional endpoint detection or log-based anomaly detection, makes SD-WAN Manager a high-value target for espionage and persistent access operations.

Organisations that have not reviewed their SD-WAN architecture’s security posture in 2026 should do so now, with specific attention to the access controls governing the management plane, the credential hygiene of netadmin accounts, and the monitoring coverage applied to SD-WAN Manager audit logs.

If your organisation relies on Cisco Catalyst SD-WAN and you want help assessing your current exposure, reviewing audit logs for indicators of compromise, or hardening your management plane access controls, contact Excello Digital. We provide independent security assessments for network infrastructure and can help you navigate Cisco’s remediation guidance without losing the operational visibility your network depends on.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!