Particle.news
Download on the App Store
4 ARTICLES
·
3w ago

Cisco Warns of Actively Exploited SD‑WAN Zero‑Day in Catalyst Manager

With no patch yet available, Cisco published indicators of compromise so operators can check logs and open support cases for investigation.

Overview

  • Cisco disclosed CVE-2026-20245 on Thursday as an unpatched command‑injection zero‑day in Catalyst SD‑WAN Manager that can let an authenticated user execute arbitrary commands as root.
  • The vendor said attackers must have 'netadmin' privileges to exploit the flaw, which can come from stolen credentials or by chaining earlier SD‑WAN bugs such as CVE-2026-20182 or CVE-2026-20127.
  • Cisco reported it learned of in‑the‑wild exploitation in June after Mandiant notified PSIRT and has made indicators of compromise and specific log entries public for detection.
  • Customers are urged to review SD‑WAN logs (for example /var/log/scripts.log), generate admin‑tech files, and open TAC cases because no workaround exists and fixes will ship in a future release.
  • This zero‑day is the latest in a string of 2026 SD‑WAN exploits that have allowed privilege escalation and, in limited cases, pushed configuration changes to edge devices, raising risk for large deployments that rely on centralized management.