Cisco SD-WAN 0-day exploited, no patch available (CVE-2026-20245)

A 0-day privilege escalation vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager that has yet to be patched by Cisco is being leveraged by attackers.

“To exploit this vulnerability, an attacker must have netadmin privileges on an affected system. This would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco is not aware of successful exploitation by other methods,” the company shared on Thursday.

It also said that it has observed “limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.”

About CVE-2026-20245

CVE-2026-20245, which affects the command-line interface of Cisco Catalyst SD-WAN Manager, stems from insufficient validation of user-supplied input.

Authenticated, local attackers can exploit it by uploading a crafted file to the affected system, and they can consequently execute arbitrary commands as root.

As noted above, attackers must first gain authenticated access to the device, for example by exploiting another vulnerability like CVE-2026-20182, which the company observed being exploited as a zero-day in May 2026, or CVE-2026-20127, which has been leveraged by a “highly sophisticated” threat actor since 2023.

CVE-2026-20245 affects all Cisco SD-WAN deployment types: on-prem, Cloud-Pro, Cloud (Cisco Managed), and for Government (FedRAMP).

Remediation and investigation

The company credited Mandiant for reporting the vulnerability, and has provided indicators of compromise (specific log entries) that may point to exploitation.

Cisco is still working on pushing out patches for CVE-2026-20245 and there are no available workarounds.

The company’s current advice is that customers upgrade to the fixed software documented in CVE-2026-20182 advisory, and verify the configuration of the edge devices.

(Cisco didn’t outright say that CVE-2026-20245 is being exploited in conjuction with those two authentication bypass vulnerabilities, but it seems likely.)

“To preserve possible indicators of compromise, customers should issue the request admin-tech command from each of the control components in the SD-WAN deployment before upgrading. After the admin-tech file has been collected, software should be upgraded at the earliest opportunity,” Cisco added.

“If the logs show indicators of compromise and the system is confirmed to be compromised, applying the software update alone will not resolve the vulnerability. In such cases, follow the specific remediation steps that will be provided by the Cisco Technical Assistance Center (TAC) to help secure the system.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!