Cisco warns customers of an actively exploited high-severity vulnerability in Catalyst SD-WAN Manager, an enterprise network management system that has been targeted by hackers multiple times in the past. Located in the command-line interface, the flaw allows authenticated attackers to escalate privileges to root and take over the entire system.
The vulnerability, tracked as CVE-2026-20245, is rated 7.8 (high) on the CVSS scale instead of critical because it requires local access and netadmin privileges to exploit. These privileges can be obtained via stolen credentials or by exploiting authentication bypass flaws, such as CVE-2026-20245 or CVE-2026-20127, which were fixed in May and February, respectively.
The older authentication bypass flaws were exploited by a cyberespionage threat actor Cisco Talos tracks as UAT-8616. It’s not clear whether the new vulnerability was exploited by the same group as part of its campaigns against enterprise SD-WAN deployments, but it was reported to Cisco by Google’s Mandiant division, which specializes in incident response.
“This vulnerability is due to insufficient validation of user-supplied input,” Cisco said in its advisory. “An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.”
Mitigation
While a patch is not yet available, Cisco recommends upgrading to the latest available version to ensure the previous authentication bypass exploits don’t work. Customers should also check the configuration of their edge devices because the company has observed cases where exploitation of this flaw resulted in configuration changes.
Before upgrading SD-WAN deployments, users are advised to save all relevant log files and issue the request admin-tech command to collect the admin-tech file from each of the control components.
Cisco has published indicators of compromise that should be visible in the scripts.log file from /var/log/. However, it’s hard to distinguish malicious and legitimate command calls in the logs, so if the indicators of compromise are present in the logs, customers should contact the Technical Assistance Center.
“If the logs show indicators of compromise and the system is confirmed to be compromised, applying the software update alone will not resolve the vulnerability,” the company said. “In such cases, follow the specific remediation steps that will be provided by the Cisco Technical Assistance Center (TAC) to help secure the system.”
