Cisco has issued an urgent warning that a high-severity vulnerability in its Catalyst SD-WAN Manager platform is being actively exploited in the wild—and no patch exists yet. CVE-2026-20245 allows authenticated attackers with netadmin privileges to execute arbitrary commands as root, placing wide-area network infrastructure at severe risk.
The disclosure is particularly alarming because Catalyst SD-WAN Manager controls and orchestrates SD-WAN deployments across enterprise and carrier networks. A successful exploit could allow attackers to push malicious configurations to thousands of edge devices simultaneously.
Understanding CVE-2026-20245
CVE-2026-20245 exists in the command-line interface (CLI) of Cisco Catalyst SD-WAN Manager, resulting from insufficient validation of user-supplied input when processing file arguments. The vulnerability carries a CVSS base score of 7.8 (High), with a vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
To exploit the flaw, an attacker must have netadmin-level credentials on the affected system. While this limits the immediate attack surface, Cisco noted in its advisory that attackers are chaining CVE-2026-20245 with two related vulnerabilities—CVE-2026-20182 and CVE-2026-20127—to achieve initial access before escalating to root execution. This chaining technique effectively reduces the privilege prerequisite in practice.
An attacker supplies a specially crafted file to the Catalyst SD-WAN Manager CLI. Insufficient input validation allows the crafted file to execute arbitrary OS-level commands with root privileges. Cisco confirmed “limited cases” in which exploitation resulted in configuration changes being pushed to downstream edge devices—a significant escalation of potential impact.
No Patch Available — Cisco Plans Future Release
Unlike most critical vulnerability advisories, Cisco has disclosed CVE-2026-20245 without an accompanying patch. The company stated it plans to address the vulnerability in a future software release but did not provide a specific timeline.
This leaves organisations with only partial mitigations at their disposal. Cisco advises restricting CLI access to only trusted users and applying strict controls on file upload functionality within SD-WAN Manager administrative interfaces.
A vulnerability without a patch and with confirmed in-the-wild exploitation is a worst-case scenario for network defenders,” noted a network security practitioner familiar with SD-WAN infrastructure. Every day without a patch is another day of active risk.
Why It Matters
SD-WAN infrastructure occupies a privileged position in modern enterprise networks, providing policy control over traffic routing across branches, data centres, and cloud environments. Compromising the management plane—which CVE-2026-20245 enables—gives attackers visibility into traffic flows, the ability to redirect connectivity, and the power to inject backdoor configurations across all managed edges.
The impact extends beyond a single organisation. Managed service providers (MSPs) and telecommunications carriers that use Cisco Catalyst SD-WAN to manage multiple customer environments face the prospect of cross-tenant compromise if their management platform is breached.
Mitigation Steps
- Immediately audit who holds netadmin credentials on Catalyst SD-WAN Manager deployments and revoke unnecessary access.
- Enable multi-factor authentication (MFA) for all SD-WAN Manager administrative accounts to reduce credential-theft risk.
- Restrict file upload functionality within the SD-WAN Manager interface to the absolute minimum required for operations.
- Monitor SD-WAN Manager CLI logs for unusual file upload activity or unexpected root-level command executions.
- Apply network segmentation to isolate the SD-WAN management plane from general enterprise networks.
- Subscribe to Cisco Security Advisories (tools.cisco.com/security/center) and apply the patch immediately upon release.
- Conduct a configuration audit of all managed edge devices to identify any unauthorized configuration pushes already applied.
