Overview
- Cisco disclosed Thursday that a high‑severity, unpatched vulnerability tracked as CVE‑2026‑20245 is being exploited in the wild against Catalyst SD‑WAN Manager.
- The bug is in the product's command‑line interface and lets an authenticated local user upload a crafted file that performs command‑injection to run commands as the root user.
- To exploit the flaw an attacker must have netadmin privileges, which can come from stolen credentials or by chaining earlier SD‑WAN authentication bypasses such as CVE‑2026‑20182 or CVE‑2026‑20127.
- Cisco credited Google Cloud’s Mandiant for reporting the issue, published indicators of compromise and forensic steps (check /var/log/scripts.log, generate admin‑tech files, open TAC cases), and said patches will arrive in a future software release but are not yet available.
- This is the seventh SD‑WAN zero‑day observed exploited in 2026, and the exposure raises urgent risks for enterprise and government deployments because patching alone will not remove attackers already present and requires forensic remediation guided by Cisco TAC.