Cisco SD-WAN CVE-2026-20245: Exploited Root Flaw Has No Patch Yet

Cisco says a newly disclosed Catalyst SD-WAN Manager privilege-escalation flaw, tracked as CVE-2026-20245, has already been used in limited cases and does not yet have its own software fix. The bug lets an authenticated local attacker execute commands as root by uploading a crafted file, but Cisco says the attacker first needs netadmin access, valid credentials, or a path in through earlier SD-WAN flaws such as CVE-2026-20182 or CVE-2026-20127.^[1]

The practical risk is not just a local shell. Cisco observed cases where exploitation led to a configuration change pushed to edge devices, which is the kind of control-plane impact SD-WAN operators need to treat as an incident, not a routine patch note.^[1] NVD lists the flaw as high severity with a CVSS 3.1 score of 7.8 and confirms the local, low-privilege, no-user-interaction attack profile.^[2]

What SD-WAN teams should check now

Cisco’s current guidance is unusually important because there are no workarounds and no dedicated CVE-2026-20245 patch yet. Instead, customers should upgrade to the fixed software documented in Cisco’s May 2026 Catalyst SD-WAN advisory for the related authentication-bypass issue and then verify edge-device configuration state.^[1] That earlier flaw, CVE-2026-20182, is the same SD-WAN attack surface howtofix.guide covered in May after Cisco and CISA treated it as actively exploited.

Before upgrading, Cisco tells customers to preserve evidence by running the request admin-tech command from each SD-WAN control component. That matters because collecting logs after remediation can erase or rotate the evidence needed to confirm whether the control plane was abused.^[1] Help Net Security also notes that the issue affects all Cisco SD-WAN deployment types, including on-premises, Cloud-Pro, Cisco-managed cloud, and FedRAMP environments.^[3]

Administrators should treat CVE-2026-20245 as a chainable post-compromise bug. First, confirm whether any SD-WAN Manager, Controller, vSmart, or vBond components still need the May 2026 fixed releases for the SD-WAN authentication-bypass advisory.^[4] Then review Cisco’s indicators of compromise, preserve admin-tech bundles, check for unexpected configuration pushes to edge devices, and open a Cisco TAC case if logs show compromise. Cisco warns that applying software updates alone will not clean up a confirmed compromised deployment.^[1]

The story also fits a wider 2026 pattern: edge and communications infrastructure bugs are being chained quickly once attackers get a foothold. Recent howtofix.guide coverage of Cisco Unified CM CVE-2026-20230 and Palo Alto GlobalProtect CVE-2026-0257 shows why operators should watch authentication bypasses, admin interfaces, and management-plane logs as one incident surface, not isolated CVE tickets.

Bottom line: if your organization runs Cisco Catalyst SD-WAN, collect evidence first, move to the fixed May advisory releases as Cisco directs, and verify that edge-device configuration was not changed by an attacker. A clean patch status is useful; a clean control plane is the real goal.

References

1. Cisco Security Advisory: Cisco Catalyst SD-WAN Manager Authenticated Privilege Escalation Vulnerability, first published June 4, 2026.
2. NVD: CVE-2026-20245, published June 4, 2026.
3. Help Net Security: Cisco SD-WAN 0-day exploited, no patch available, published June 5, 2026.
4. Cisco Security Advisory: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability, first published May 14, 2026.