CVE-2026-20245 unpatched – Cisco says an unpatched high-severity zero-day in its Cisco Catalyst SD-WAN Manager—CVE-2026-20245—is being actively exploited. The flaw can let low-privileged attackers execute commands as root, with Cisco only aware of limited cases where exploitation led to
On Thursday, Cisco issued a warning that landed hard on network security teams: an unpatched zero-day in its Cisco Catalyst SD-WAN Manager is already being used in real attacks.
The flaw, tracked as CVE-2026-20245, is high severity and allows attackers to escalate privileges to root. Cisco says the vulnerability stems from insufficient validation of user-supplied input.
In practical terms. Cisco’s advisory describes a path that starts with a simple action—uploading a crafted file—and can end with full control. “An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user. ” Cisco explained.
Cisco also set a condition for exploitation: attackers need netadmin privileges on the affected system. In other words, the attack isn’t fully “open” to any unauthenticated visitor. Cisco added that achieving that access would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco said it is not aware of successful exploitation by other methods.
The scope isn’t limited to one kind of environment. Cisco says the flaw impacts all deployment types, including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).
Cisco warned that the exploitation has already shown consequences in the field, even if the company’s visibility is limited. It said it has observed “limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.”
That matters because Catalyst SD-WAN Manager—formerly known as SD-WAN vManage—sits at the center of how administrators monitor and manage large deployments. Cisco described the platform as network management software that helps admins monitor and manage up to 6. 000 Catalyst SD-WAN devices from a single dashboard.
The timeline behind the warning adds another layer of urgency. Cisco said its Product Security Incident Response Team (PSIRT) became aware of CVE-2026-20245 exploitation in June after Google Cloud cybersecurity subsidiary Mandiant reported the flaw but did not share any details.
Cisco’s guidance to defenders was unusually direct about what to look for. It said Mandiant shared indicators of compromise warning admins to check the file /var/log/scripts.log for attempts to upload tenant configuration data to vSmart controllers in a way that escalates privileges using legitimate commands.
Cisco included an example in its advisory: “Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0”.
If teams are trying to confirm compromise, Cisco pointed them toward support rather than self-diagnosis alone. “For help determining if a Cisco Catalyst SD-WAN Manager has been compromised. customers may open a case with the Cisco TAC. ” it said. Cisco also advised customers to generate an admin-tech file first to help with the review.
Patches have not arrived for CVE-2026-20245. Cisco said that while it has not released fixes for this specific issue, it advised customers to upgrade to software fixed for CVE-2026-20182 on May 14.
This warning doesn’t stand alone. Last month, Cisco tagged a maximum severity Catalyst SD-WAN Controller authentication bypass flaw—CVE-2026-20182—as actively exploited as a zero-day to gain administrative privileges on unpatched devices.
Cisco also pointed back through its own recent advisory history. In February. it patched a Catalyst SD-WAN Manager information disclosure flaw. CVE-2026-20133. which CISA flagged as actively exploited in late April. Two weeks after that, Cisco warned about two more flaws being abused in the wild: CVE-2026-20128 and CVE-2026-20122.
In March, it addressed and flagged a critical authentication-bypass vulnerability—CVE-2026-20127—that has been exploited in zero-day attacks since at least 2023.
Zooming out further, Cisco noted that over the last several years, CISA has tagged 90 Cisco vulnerabilities as abused in the wild. Four of those involve Cisco Catalyst SD-WAN Manager, and six others have been exploited by ransomware operations.
One thing is clear from Cisco’s latest move: the SD-WAN stack is proving to be a lucrative target. and the gap between discovery and patch availability is being exploited in real time. Until CVE-2026-20245 is fixed. Cisco’s focus for customers is immediate—hunt for the specific indicators in /var/log/scripts.log and verify whether their systems may have already been touched.
Cisco Catalyst SD-WAN Manager SD-WAN vManage CVE-2026-20245 zero-day root privilege escalation command injection netadmin SD-WAN Cloud-Pro FedRAMP vSmart controllers /var/log/scripts.log Mandiant Google Cloud Cisco PSIRT CVE-2026-20182 CVE-2026-20127 SD-WAN security