On Thursday, Cisco warned of a high-severity, unpatched zero-day within the Cisco Catalyst SD-WAN Supervisor (tracked as CVE-2026-20245) actively exploited in assaults enabling root privilege escalation.
The zero-day flaw impacts all deployment varieties, together with On-Prem Deployment, Cisco SD-WAN Cloud-Professional, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Authorities (FedRAMP).
In a Thursday advisory, Cisco mentioned the difficulty stems from inadequate validation of user-supplied enter, and it could possibly permit native attackers with low privileges to execute arbitrary instructions as root.
“An attacker may exploit this vulnerability by importing a crafted file to the affected system. A profitable exploit may permit the attacker to carry out command injection assaults on an affected system and elevate their privileges as the foundation consumer,” the corporate defined.
“To take advantage of this vulnerability, the attacker should have netadmin privileges on the affected system. This may require legitimate credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco is just not conscious of profitable exploitation by different strategies,” it added. “Cisco is just not conscious of profitable exploitation by different strategies. Cisco has noticed restricted instances the place the exploitation of this bug resulted in a configuration change pushed to edge gadgets.”
Previously generally known as SD-WAN vManage, this community administration software program helps admins monitor and handle as much as 6,000 Catalyst SD-WAN gadgets from a single dashboard.
Cisco’s Product Safety Incident Response Group (PSIRT) grew to become conscious of CVE-2026-20245 exploitation in June after Google Cloud cybersecurity subsidiary Mandiant reported the flaw however didn’t share any particulars.
Nevertheless, it shared indicators of compromise (IOCs) warning admins to examine their SD-WAN /var/log/scripts.log file for makes an attempt to add tenant configuration information to vSmart controllers to escalate privileges by way of reputable instructions, as within the following instance:
Apr 15 09:44:57 vmanage vScript: Tenant checklist add per vsmart serial quantity: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /house/admin/malicious.csv vpn 0
“For assist figuring out if a Cisco Catalyst SD-WAN Supervisor has been compromised, prospects might open a case with the Cisco TAC,” the corporate added, advising admins first to gather admin-tech recordsdata to assist with the overview.
Safety patches not but out there
Final month, Cisco additionally tagged a most severity Catalyst SD-WAN Controller authentication bypass flaw (CVE-2026-20182) as actively exploited as a zero-day to realize administrative privileges on unpatched gadgets.
Whereas Cisco has not but launched patches for CVE-2026-20245, it suggested prospects to improve to the software program mounted for CVE-2026-20182 on Might 14.
In February, Cisco patched one other Catalyst SD-WAN Supervisor data disclosure safety flaw (CVE-2026-20133), which CISA flagged as actively exploited in late April, and, two weeks later, warned that two extra flaws (CVE-2026-20128 and CVE-2026-20122) had been being abused within the wild.
In March, it additionally addressed and flagged a essential authentication-bypass vulnerability (CVE-2026-20127) that has been exploited in zero-day assaults since a minimum of 2023.
During the last a number of years, CISA has tagged 90 Cisco vulnerabilities as abused within the wild, 4 of them in Cisco Catalyst SD-WAN Supervisor and 6 others exploited by ransomware operations.
Safety groups log 54% of profitable assaults and alert on simply 14%. The remaining transfer by way of your atmosphere unseen.
The Picus whitepaper exhibits how breach and assault simulation exams your SIEM and EDR guidelines so threats cease slipping by detection.
