Cisco disclosed CVE-2026-20245 on 5 June 2026, a high-severity command-injection vulnerability in Catalyst SD-WAN Manager that Google's Mandiant has now shown was exploited as a zero-day for at least two months before it became public. The flaw lets an authenticated attacker who already holds netadmin privileges execute arbitrary commands as root by uploading a crafted file to the appliance — a privilege-escalation step, not an internet-facing entry point. It carries a CVSS base score of 7.8, sits in the management plane of an SD-WAN fabric, and has already been used in a targeted intrusion against a service provider by an actor Mandiant has not attributed.
What the flaw is
The vulnerability is in the command-line interface of Cisco Catalyst SD-WAN Manager, formerly vManage; Cisco's advisory also lists the SD-WAN Controller (vSmart) and Validator (vBond) among affected components. The root cause is insufficient validation of user-supplied input: a file-upload workflow in the CLI does not properly filter what it is handed, so a user who can reach that workflow can inject commands that run with root privileges. That turns a controlled administrative account into full control of the device.
The important qualifier is the access requirement. This is not an unauthenticated, remotely exploitable bug. To use it, an attacker must already have netadmin privileges on the system — which is why Cisco scores it 7.8 (high) rather than critical. The catch is that netadmin access is itself obtainable: through stolen credentials, or by chaining earlier Cisco SD-WAN authentication-bypass flaws such as CVE-2026-20127 and CVE-2026-20182, both previously disclosed and both exploited as zero-days in their own right. CVE-2026-20245 is the seventh Cisco SD-WAN product vulnerability whose active exploitation has come to light in 2026, and the pattern — multiple chained SD-WAN zero-days aimed at one operator — points to a sustained campaign rather than opportunistic scanning.
How it was used
Mandiant's investigation, published on 25 June 2026, traced activity against a single service provider's SD-WAN environment across two phases from late 2025 into March 2026. In the first phase the actor established unauthorised SD-WAN peering connections — the cryptographic handshake that lets network components trust one another — likely by exploiting the earlier authentication-bypass flaws, giving them a foothold that looked like a legitimate peer. In the second phase the actor authenticated to the SD-WAN Manager over SSH using a default administrative account, then exploited CVE-2026-20245 to escalate to root and create a rogue root-level account (reported as "troot") with full shell access.
What distinguishes this intrusion is the discipline around covering tracks. The actor backed up configuration files before modifying them and restored them afterwards, deleted the files it created, reversed its configuration changes, reset the administrator password back to its original value so a logging-in admin would notice nothing, and ran a script to confirm the evidence was gone. Mandiant's own note that these anti-forensic measures significantly limited its ability to reconstruct the full scope is the operative warning for defenders: here, absence of evidence is not evidence of absence. In keeping with responsible disclosure, this article does not reproduce the upload command, the payload file or its contents, or the attacker infrastructure — those live indicators belong in Cisco's advisory and Mandiant's published IOC set, not in a summary.
Why the management plane makes this serious
SD-WAN Manager is not an ordinary host. It is the orchestration point for the fabric, which is why Cisco reported limited cases where exploitation resulted in configuration changes being pushed to edge devices. Compromise there does not stay contained to one appliance; it can alter the behaviour of downstream network infrastructure and give an intruder durable visibility into internal traffic. It also sits in the category of network appliances that, as Mandiant puts it, do not natively support endpoint detection and response — the living-off-the-edge pattern in which attackers deliberately target gear that lacks the telemetry defenders rely on elsewhere. That combination, a management-plane foothold on a device with limited native logging, is what makes a 7.8 worth treating with more urgency than the score alone suggests.
What to do
There was no workaround at disclosure, so remediation centres on patching, evidence preservation and compromise review:
Upgrade Catalyst SD-WAN Manager to a fixed release — 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2, or later. Cisco released the patches around 12 June 2026, and CISA added the flaw to its Known Exploited Vulnerabilities catalogue with a 23 June 2026 remediation deadline for US federal civilian agencies.
Treat detection as incident response, not routine patching. Cisco has been explicit that installing the fix alone will not secure an already-compromised device. Collect diagnostic logs from control-plane components (Cisco's
admin-techcollection), and if abuse is indicated, engage Cisco TAC for recovery guidance rather than assuming the upgrade closed the door.Hunt for the behaviour, not just the version. Review SD-WAN Manager appliances for unauthorised root-level activity, unexpected or unauthorised accounts, suspicious file uploads, and unexplained configuration pushes to edge devices. Because the account name and other artefacts are campaign-specific and were actively erased, hunt for the categories of activity and cross-reference Mandiant's published indicators rather than a single string.
Validate the chain is closed. Since netadmin access here was tied to stolen credentials or the earlier SD-WAN authentication-bypass flaws, confirm that CVE-2026-20127, CVE-2026-20182 and the other 2026 SD-WAN fixes are fully applied across the estate, and rotate credentials and certificate material that may have been exposed.
Reduce exposure. Cisco has warned that internet-exposed management interfaces are at heightened risk; restrict administrative access to the SD-WAN Manager to trusted networks.
Key Takeaways
CVE-2026-20245 (CVSS 7.8) is a command-injection flaw in the CLI of Cisco Catalyst SD-WAN Manager (vManage; vSmart and vBond are also listed) that lets an authenticated netadmin-privileged attacker execute commands as root via a crafted file upload.
Mandiant reported (25 June 2026) that an unattributed actor exploited it as a zero-day for at least two months against a service provider, escalating a compromised admin account to root, creating a rogue root account, and using extensive anti-forensic cleanup that limited investigators' reconstruction of the intrusion.
It requires netadmin access — obtainable via stolen credentials or by chaining earlier SD-WAN authentication-bypass flaws (CVE-2026-20127, CVE-2026-20182) — so it is a privilege-escalation link in a chain, not an internet-facing entry point; it is the seventh Cisco SD-WAN flaw exploited in 2026.
Fix: upgrade to 20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2 or later (patched ~12 June; CISA KEV deadline 23 June). Because the fix alone will not clean a compromised device, treat detection as incident response, collect logs, hunt for unauthorised root activity and config pushes, validate the earlier CVEs are remediated, and engage Cisco TAC if compromise is found.