CVE-2026-20245
published 2026-06-04CVE-2026-20245: A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco…
PriorityP185high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-23
Exploited in the wild
EPSS
0.36%
58.2th percentile
A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.
To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.
Cisco recommends that customers upgrade to the fixed software that is documented in the that was published on May 14, 2026, and verify the configuration of the edge devices.
Affected
392 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | catalyst_sd-wan_manager | < 20.9.9.1 | 20.9.9.1 |
| cisco | catalyst_sd-wan_manager | — | — |
| cisco | catalyst_sd-wan_manager | >= 20.10 < 20.12.5.4 | 20.12.5.4 |
| cisco | catalyst_sd-wan_manager | >= 20.12.6 < 20.12.6.2 | 20.12.6.2 |
| cisco | catalyst_sd-wan_manager | >= 20.13 < 20.15.4.4 | 20.15.4.4 |
| cisco | catalyst_sd-wan_manager | >= 20.15.5 < 20.15.5.2 | 20.15.5.2 |
| cisco | catalyst_sd-wan_manager | >= 20.16 < 20.18.2.2 | 20.18.2.2 |
| cisco | catalyst_sd-wan_manager | >= 26.1 < 26.1.1.1 | 26.1.1.1 |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
| cisco | cisco_catalyst_sd-wan_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Attacker must have netadmin privileges on the affected system to exploit this vulnerability; monitor for privilege escalation to root from netadmin-level accounts on Cisco Catalyst SD-WAN Manager, vSmart, and vBond systems ↗
- →Look for unexpected or crafted file uploads to Cisco Catalyst SD-WAN Manager CLI, which are the delivery mechanism for the command injection payload ↗
- →Monitor for unexpected configuration changes pushed to SD-WAN edge devices, as this has been observed as a post-exploitation indicator in confirmed cases ↗
- →Alert on processes or commands executing as root that were spawned from the SD-WAN Manager CLI process chain, indicating successful privilege escalation via command injection ↗
- ·Exploitation requires valid netadmin credentials or prior exploitation of a separate vulnerability to obtain them; standalone exploitation without credentials has not been observed ↗
- ·The vulnerability is confirmed actively exploited in the wild and is listed in CISA KEV; FCEB agencies must remediate by June 23, 2026 ↗
- ·The vendor security advisory (published May 14, 2026) is the authoritative source for fixed software versions; customers should verify edge device configurations after patching ↗
- ·Full advisory details are available at the Cisco Security Advisory URL listed in the CISA KEV catalog notes ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
cisa7.8HIGH
VulDB
Cisco Catalyst SD-WAN Manager up to 26.1.1_LI_Images File escape output (cisco-sa-sdwan-privesc-4uxFrdzx)
vuldb·2026-06-05·CVSS 7.8
CVE-2026-20245 [HIGH] Cisco Catalyst SD-WAN Manager up to 26.1.1_LI_Images File escape output (cisco-sa-sdwan-privesc-4uxFrdzx)
A vulnerability was found in Cisco Catalyst SD-WAN Manager. It has been rated as problematic. Impacted is an unknown function of the component File Handler. The manipulation leads to escaping of output.
This vulnerability is uniquely identified as CVE-2026-20245. Local access is required to approach this attack. No exploit exists.
Upgrading the affected component is advised.
GHSA
A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to
ghsa_unreviewed·2026-06-05
CVE-2026-20245 [HIGH] CWE-116 A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to
A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.
To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited ca
VulnCheck
Cisco catalyst_sd-wan_manager Improper Encoding or Escaping of Output
vulncheck·2026·CVSS 7.8
CVE-2026-20245 [HIGH] Cisco catalyst_sd-wan_manager Improper Encoding or Escaping of Output
Cisco catalyst_sd-wan_manager Improper Encoding or Escaping of Output
A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.
To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of
CISA
Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability
cisa·2026-06-09·CVSS 7.8
CVE-2026-20245 [HIGH] CWE-116 Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability
Vulnerability: Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability
Affected: Cisco Catalyst SD-WAN Manager
Cisco Catalyst SD-WAN Manager formerly SD-WAN vManage contains an improper encoding or escaping of output vulnerability. This vulnerability could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx ; https://nvd.nist.gov/vuln/detail/CVE-2026-20245
Remediation Due Date: 2026-06-23
No detection rules found.
No public exploits indexed.
Hackernews
CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog Amid Active Exploitation
blogs_hackernews·2026-06-10·CVSS 8.8
CVE-2026-20245 [HIGH] CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog Amid Active Exploitation
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three new vulnerabilities to its Known Exploited Vulnerabilities ( KEV ) catalog, following reports of active exploitation.
The list of vulnerabilities is as follows -
CVE-2026-20245 (CVSS score: 7.8) - An improper encoding or escaping of output vulnerability in Cisco Catalyst SD-WAN Manager that could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.
CVE-2026-11645 (CVSS score: 8.8)
Hackernews
⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
blogs_hackernews·2026-06-08·CVSS 8.4
CVE-2025-48595 [HIGH] ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
Monday again. The weekend was meant to be quiet. It wasn't. Last week had poisoned packages, a broken AI helper, and a worm tearing through repos. The ugly part: basic tricks still worked.
A chatbot got fooled. A bot token got leaked inside the malware. The same old mistakes showed up again. And while everyone chased the loud stuff, quieter attackers sat in inboxes for months, reading mail and stealing it bit by bit.
Lots to cover. Grab coffee. Read up.
## ⚡ Threat of the Week
Miasma Worm Hits 73 Microsoft GitHub Repositories in Supply Chain
Hackernews
Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available
blogs_hackernews·2026-06-06·CVSS 10.0
CVE-2026-20245 [CRITICAL] Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available
Cisco has warned that a high-severity security flaw impacting Catalyst SD-WAN Manager has come under active exploitation.
The vulnerability, tracked as CVE-2026-20245 , carries a CVSS score of 7.8 out of a maximum of 10.0. It affects the following deployment types -
On-Prem Deployment
Cisco SD-WAN Cloud-Pro
Cisco SD-WAN Cloud (Cisco Managed)
Cisco SD-WAN for Government (FedRAMP)
"A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary co
Bleepingcomputer
Cisco warns of unpatched SD-WAN zero-day exploited in attacks
blogs_bleepingcomputer·2026-06-05·CVSS 10.0
CVE-2026-20245 [CRITICAL] Cisco warns of unpatched SD-WAN zero-day exploited in attacks
## Cisco warns of unpatched SD-WAN zero-day exploited in attacks
## Sergiu Gatlan
On Thursday, Cisco warned of a high-severity, unpatched zero-day in the Cisco Catalyst SD-WAN Manager (tracked as CVE-2026-20245 ) actively exploited in attacks enabling root privilege escalation.
The zero-day flaw impacts all deployment types, including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).
In a Thursday advisory, Cisco said the issue stems from insufficient validation of user-supplied input, and it can allow local attackers with low privileges to execute arbitrary commands as root.
"An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the atta
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzxhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SWhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20245
2026-06-04
Published
2026-06-09
Added to CISA KEV
Exploited in the wild