CVE-2026-20245 Cisco SD-WAN Zero-Day Enables Root Command Execution in Active Attacks

Summary:

A high-severity vulnerability (CVE-2026-20245, CVSS 7.8) has been identified in Cisco Catalyst SD-WAN Manager (vManage). The flaw allows authenticated attackers with netadmin privileges to execute arbitrary operating system commands as the root user through crafted file uploads. The vulnerability results from insufficient input validation during file transfer operations. Cisco PSIRT has confirmed active exploitation in the wild, with threat actors using compromised privileged accounts to execute unauthorized commands and push malicious configuration changes to managed SD-WAN edge devices. Organizations using Cisco Catalyst SD-WAN Manager should apply the available security patches immediately and audit privileged administrative accounts for signs of compromise.

Technical Description:

CVE-2026-20245 resides in the file upload handling functionality of Cisco Catalyst SD-WAN Manager (vManage). The vulnerability is caused by insufficient input validation when processing certain file transfer requests. An authenticated attacker with netadmin-level privileges can upload a specially crafted file that causes vManage to execute arbitrary operating system commands with root-level privileges on the underlying system. Affected versions span multiple SD-WAN Manager releases across the 20.x and 20.9.x release trains. Attackers may also chain this vulnerability with lower-privilege credential exposure or authentication weaknesses to escalate from lower access levels. Once root-level execution is achieved, the attacker gains full control of the vManage orchestration layer, including the ability to modify SD-WAN overlay configurations, push malicious policy updates to all managed edge routers (vEdge/cEdge), and intercept or manipulate traffic flows across the SD-WAN fabric.

The vManage web-based management interface exposes several REST API endpoints and file handling functions that are accessible to authenticated administrators.

CVE CVSS Vulnerability Type Affected Product Patch Version
CVE-2026-20245 10.0 Authenticated OS Command Injection via File Upload leading to Root Command Execution Cisco Catalyst SD-WAN Manager (vManage), affected 20.x and 20.9.x releases Apply Cisco security patch as described in the advisory. Restrict vManage access to trusted IP addresses only.
N/A 9.8 Missing Authentication Check leading to Remote Code Execution N/A N/A
CVE-2026-46978 9.8 Missing Authentication Check leading to Remote Code Execution N/A N/A
N/A 9.8 Missing Authentication Check leading to Remote Code Execution N/A N/A

Exploitation Demonstration:

  • CVE-2026-20245 (CVSS 7.8) in Cisco Catalyst SD-WAN Manager (vManage): An authenticated attacker with netadmin privileges sends a crafted HTTP file upload request to the vManage web interface. The request embeds operating system command metacharacters within the filename or file metadata fields, bypassing input validation. The vManage backend processes these parameters directly in a system call, resulting in arbitrary command execution as the root user on the underlying Linux host.
  • Chained exploitation scenario: An attacker first obtains netadmin credentials through phishing, credential stuffing, or exploitation of a secondary authentication weakness in vManage. The attacker authenticates to the vManage interface and then leverages CVE-2026-20245 to achieve root-level command execution. With root access to vManage, the attacker uses the SD-WAN management API to push modified device templates or CLI add-on configurations to all managed cEdge and vEdge routers, potentially redirecting traffic, inserting man-in-the-middle rules, or deploying persistent backdoors across the entire SD-WAN overlay network.
  • Active exploitation observed: Cisco PSIRT has confirmed real-world attacks in which threat actors with netadmin-level access (obtained through credential theft or insider access) executed unauthorised operating system commands via vManage. Post-exploitation activity included modification of SD-WAN policy configurations, creation of new administrative users, and configuration changes pushed to edge devices to alter routing and security policies.
  • Attacker-controlled device templates deployed through a compromised vManage instance can redirect SD-WAN traffic to attacker-controlled infrastructure or disable encryption on specific overlay tunnels, enabling passive interception of enterprise WAN traffic traversing the SD-WAN fabric.

Ease of Exploitation:

CVE-2026-20245 requires authentication (netadmin privileges), which somewhat limits the attack surface compared to unauthenticated vulnerabilities. However, netadmin credentials are commonly held by network operations staff, contractors, and shared service accounts, making insider threats and credential theft realistic entry points. The file upload mechanism exploited is a standard interface used during normal SD-WAN operations, making malicious requests difficult to distinguish from legitimate traffic without deep inspection. Confirmed active exploitation significantly increases the urgency of remediation.

Conclusion:

CVE-2026-20245 represents a critical risk to enterprise SD-WAN environments given the confirmed active exploitation and the potential for an attacker with vManage access to impact the entire SD-WAN overlay network. Organisations running Cisco Catalyst SD-WAN Manager should prioritise patching, enforce strict access controls on the vManage interface, and immediately audit netadmin-level accounts for unauthorised activity or configuration changes. The SD-WAN management plane should be treated as a high-value target and protected with the same level of security applied to core network infrastructure.

Impact:

Successful exploitation of CVE-2026-20245 grants the attacker root-level control of the vManage orchestration platform. Because vManage centrally manages all SD-WAN edge devices, a compromised vManage instance can be used to alter routing policies, modify security configurations, disable encrypted tunnels, or redirect enterprise WAN traffic across all managed sites. For UAE and MENA organisations relying on Cisco SD-WAN for branch connectivity, this poses a risk of complete WAN infrastructure compromise, traffic interception, and lateral movement into branch networks. UAE PDPL and NCA ECC incident reporting requirements may apply if data exfiltration is confirmed through compromised SD-WAN traffic paths.

IOC and Context Details:

Topics Details
Tactic Name Privilege Escalation, Execution, Impact, Lateral Movement
Technique Name Authenticated Command Injection via File Upload in Cisco Catalyst SD-WAN Manager (vManage) Enabling Root Command Execution
Sub Technique Name Upload a crafted file containing OS command metacharacters through the vManage file transfer interface (CVE-2026-20245, CVSS 7.8) as an authenticated netadmin user → Commands execute with root privileges on the vManage host → Attacker abuses the vManage API to push malicious configurations to managed Cisco SD-WAN edge devices.
Attack Type Vulnerability
Targeted Applications Cisco Catalyst SD-WAN Manager (vManage), multiple 20.x and 20.9.x release trains.
Region Impacted Global
Industry Impacted Enterprise, Telecommunications, Financial Services, Government, and any organization operating Cisco SD-WAN environments.
IOC's
IP Addresses:
  • 76.92.245[.]217
  • 207.190.37[.]94
  • 23.245.7[.]178
  • 153.186.231[.]233
  • 167.179.79[.]189
  • 45.32.38[.]160
  • 209.137.225[.]101
SHA256:
  • b82936f37648518425c7d3cf9e09eaffa41d7cdb3840f6a40287e3a108880f7b
CVE CVE-2026-20245

Recommended Actions:

  • Apply the Cisco security advisory patch for CVE-2026-20245 immediately. Refer to the Cisco PSIRT advisory for the specific fixed software versions applicable to your SD-WAN Manager release train. Treat this as an emergency patch, given the confirmed active exploitation.
  • Restrict access to the vManage web interface (ports 443/8443) to trusted management IP ranges only. Do not expose vManage directly to the internet. Place vManage behind a VPN or dedicated management network segment that is accessible only through a bastion host or jump server.
  • Audit all accounts with netadmin privileges in vManage. Disable or remove accounts that are no longer required. Enforce multi-factor authentication (MFA) for all vManage administrative accounts, including netadmin-level users. Review recent login activity for signs of unauthorised access.
  • Review vManage audit logs and change logs for any unauthorised device template modifications, policy changes, or new administrative user creation. Cross-check SD-WAN edge device running configurations against known-good baselines to identify unauthorised configuration changes pushed from vManage.
  • Enable vManage activity logging and integrate logs with your SIEM. Configure alerts for file upload events, high-privilege command execution on the vManage host, and configuration push events to edge devices, particularly those occurring outside approved change management windows.
  • If patching cannot be applied immediately, consider disabling or restricting the specific file upload or file transfer functionality within vManage as a temporary mitigation while coordinating emergency patching. Consult the Cisco advisory for any available workarounds.
  • Ensure Cisco SD-WAN Manager instances operate according to the principle of least privilege at the operating system level. Isolate vManage from general corporate network segments. Verify that SD-WAN underlay and overlay network monitoring is in place to detect anomalous traffic patterns that could indicate post-compromise manipulation of routing or security policies.
  • Report any confirmed exploitation to Cisco PSIRT and, where applicable, comply with UAE PDPL breach notification obligations and NCA ECC incident reporting requirements if data exfiltration or WAN traffic interception is identified.

Reference:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-vmanage-rce-CVE-2026-20245

https://www.oracle.com/security-alerts/cspujun2026verbose.html

https://blog.qualys.com/vulnerabilities-threat-research/2026/06/18/oracle-critical-patch-update-june-2026-security-update-review

https://www.tenable.com/blog/oracle-june-2026-critical-security-patch-update-addresses-243-cves-cve-2026-35273