Bottom line: An unpatched command injection vulnerability in SD-WAN Manager is being actively exploited, requiring immediate measures to close authentication gaps and monitor logs.
The critical security vulnerability CVE-2026-20245 (CVSS 7.8) in Cisco Catalyst SD-WAN Manager is being actively exploited by attackers. Currently, no security patch exists, which means systems accessible over the internet are at considerable risk.
Cisco has issued a security advisory for CVE-2026-20245, a critical vulnerability in the command-line interface (CLI) of the Catalyst SD-WAN Manager. The vulnerability affects on-premises installations, Cisco SD-WAN Cloud Pro, Cisco-managed cloud, and Cisco SD-WAN for Government. With a CVSS score of 7.8 and active exploitation occurring, the threat is severe.
The flaw results from insufficient validation of user input in the CLI. Authenticated attackers with netadmin privileges can upload a malicious file and trigger command injection, enabling execution of arbitrary commands as root. Administrative credentials can be obtained through legitimate credentials or via known authentication vulnerabilities (CVE-2026-20182, CVE-2026-20127). Security researchers from Mandiant have already documented that attackers, after successful exploitation, transfer malicious configurations directly to connected edge devices.
As no patch is available, Cisco recommends as an immediate measure closing the authentication vulnerability CVE-2026-20182 through an update from May 14, 2026. This disrupts the typical attack chain. Administrators should examine the log file /var/log/scripts.log for suspicious entries, particularly unusual file paths and script invocations (CSV files as indicators). CVE-2026-20245 is already the seventh actively exploited vulnerability in Cisco SD-WAN products in 2026.
Source: www.it-daily.net · Published June 10, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.