Cisco Catalyst SD-WAN CVE-2026-20245 Actively Exploited for Months
Mandiant, a Google-owned threat intelligence firm, reported on June 25, 2026, the active exploitation of CVE-2026-20245, a zero-day privilege escalation flaw in Cisco Catalyst SD-WAN Manager. Mandiant claims attacks were ongoing for at least two months prior to public disclosure. This vulnerability, rated CVSS 7.8, allows an authenticated local attacker to execute arbitrary commands with root-level access, establishing persistent access on edge devices that often lack extensive EDR coverage. Attackers prioritize network infrastructure and edge devices, using their limited telemetry to maintain stealth and gain strategic network visibility. This exploitation underscores the need for rigorous input validation and enhanced monitoring on all critical infrastructure components.
What Happened
Mandiant identified active exploitation of CVE-2026-20245 in Cisco Catalyst SD-WAN Manager during two distinct periods: late 2025 to January 2026, and again in March 2026, as detailed in their blog post. This privilege escalation flaw, documented by NIST, stems from insufficient user-supplied input validation, making it vulnerable to command injection via a crafted file upload. The initial target was an unspecified communications service provider.
Attackers likely gained initial access through previously undisclosed authentication bypass flaws, CVE-2026-20127 or CVE-2026-20182, before using CVE-2026-20245 for privilege escalation, according to Mandiant's analysis. They successfully escalated a compromised administrator account to full root-level access. The threat actors employed sophisticated anti-forensic techniques, selectively deleting and restoring system configuration files to evade detection during their operations, as reported by The Hacker News.
Why It Matters
The exploitation of a Cisco Catalyst SD-WAN zero-day impacts Cisco customers and anyone managing network infrastructure. Charles Carmakal, CTO of Mandiant Consulting, emphasized that advanced adversaries frequently target network devices and other systems that don't natively support Endpoint Detection and Response (EDR) solutions, as noted by SecurityWeek. This makes them ideal strongholds for persistent network visibility.
SD-WAN devices, sitting at the network's edge, often lack the extensive telemetry and forensic capabilities typically found on workstations or servers. This limitation provides attackers with a crucial blind spot for long-term operations. The successful root-level compromise of a communications service provider demonstrates the severe impact: an adversary with full control over the SD-WAN manager can manipulate network traffic, exfiltrate data, or pivot deeper into critical infrastructure. Perimeter devices are high-value targets.
Affected Scope & Remediation
The CVE-2026-20245 vulnerability impacts Cisco Catalyst SD-WAN Manager across all deployment models. This includes on-premises installations, Cisco SD-WAN Cloud-Pro, Cisco-managed cloud environments, and FedRAMP deployments, as confirmed by Cisco's advisory. If you're running any version of Cisco Catalyst SD-WAN Manager within the affected range, you're exposed.
Cisco has released patches to address the flaw. Apply them now. For detection and response on these critical edge devices, while full EDR might not be natively supported, integrating solutions like CrowdStrike Falcon for network-based telemetry or custom logging for anomalous access patterns can provide much-needed visibility.
| Product | Version Range Affected | Fixed Version(s) |
|---|---|---|
| Cisco Catalyst SD-WAN Manager | All versions prior to 20.9.3, 20.10.1, 20.11.2, 20.12.1 | 20.9.3, 20.10.1, 20.11.2, 20.12.1 |
| Cisco Catalyst SD-WAN Manager | All versions prior to 25.1.0 and 26.1.0 | 25.1.0, 26.1.0 (LTS) |
Patch Links:
- Vendor Advisory: Cisco Security Advisory
- NVD Entry: CVE-2026-20245
- CISA KEV Entry: AA26-176A
The timeline from first known exploitation to public disclosure was substantial: exploitation began in late 2025, public disclosure occurred on June 25, 2026, meaning attackers had at least 6 months of undetected activity. While Cisco issued patches promptly upon disclosure, there are no specific workarounds listed beyond patching. CISA has mandated federal agencies to patch this vulnerability as it is part of their Known Exploited Vulnerabilities (KEV) catalog; the deadline for federal agencies to remediate is July 16, 2026.
Technical Breakdown
The core of CVE-2026-20245 is a command injection flaw, specifically stemming from insufficient validation of user-supplied input. An authenticated user uploading a configuration file to the Cisco Catalyst SD-WAN Manager can trick the system's underlying command interpreter into executing malicious code embedded within what appears to be a legitimate file.
This flaw is an exploitation for privilege escalation, directly mapping to T1068 Exploitation for Privilege Escalation in MITRE ATT&CK. Once attackers gained initial access, possibly via T1078 Valid Accounts (a compromised admin account) or T1190 Exploit Public-Facing Application (the hypothesized authentication bypasses), they used CVE-2026-20245 to elevate their privileges to root. This allowed them to execute arbitrary commands with the highest possible permissions.
Mandiant observed threat actors engaging in T1070 Indicator Removal, meticulously deleting and restoring system configuration files to mask their activities and hinder forensic analysis. This anti-forensic approach underscores their advanced capabilities and intent for persistent, stealthy access. The root cause of the vulnerability itself points to a failure in SI-10 Information Input Validation within the NIST SP 800-53 controls, emphasizing that proper input sanitization is paramount for preventing such command injection vulnerabilities. Post-exploitation, the lack of AU-2 Event Logging and AU-6 Audit Record Review Analysis and Reporting on edge devices made detection challenging. The goal, achieving root, bypassed AC-6 Least Privilege.
Historical Context
The exploitation of CVE-2026-20245 fits a well-established pattern of adversaries targeting critical network devices, especially those at the edge. A similar, high-profile incident occurred in May 2026, when CISA mandated federal agencies patch a Check Point VPN bug, CVE-2026-176a, after it was actively exploited as a zero-day by Qilin ransomware affiliates.
Both incidents share the characteristic of zero-day exploitation in network perimeter devices that often serve as initial access vectors or persistence points for advanced threat actors. The similarity lies in the high-value target (network infrastructure) and the use of previously unknown flaws. What's different is the specific nature of the vulnerability: the Check Point bug was an authentication bypass, while CVE-2026-20245 is a privilege escalation flaw, albeit often chained with initial access bugs. The common thread, however, is the strategic targeting of systems that are critical to network operations but typically fall outside the extensive EDR coverage common for endpoints.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| CVSS Score | 7.8 | NIST NVD |
| Exploitation Duration | 6 months (approx. late 2025 to June 2026), as claimed by Mandiant and reported by SecurityWeek | Mandiant, SecurityWeek |
| Distinct Attack Periods | 2 periods, as claimed by Mandiant | Mandiant |
| Privilege Escalation | Root-level access, as claimed by The Hacker News | The Hacker News |
| CISA KEV Remediation Period | 21 days (June 25, 2026 to July 16, 2026) | CISA |
| Primary Attack Type | Privilege Escalation (Command Injection) | NIST NVD |
The CVEDaily Take
The prolonged, undetected exploitation of CVE-2026-20245 in a core network component like Cisco Catalyst SD-WAN Manager is a serious operational security failure for the affected organizations. It highlights a clear delta in security posture between endpoints and critical network infrastructure. Prioritizing patching here is a no-brainer, but deeper than that, it demands a re-evaluation of how we secure edge devices lacking traditional EDR and how we detect nuanced anti-forensic activity. We believe many organizations are underestimating the risk presented by network appliance logging deficiencies. Have you audited the logging capabilities and offloading strategies for your critical network appliances lately?
FAQ
Q: What is CVE-2026-20245 and what kind of attack does it enable?
A: CVE-2026-20245 is a privilege escalation vulnerability in Cisco Catalyst SD-WAN Manager. It allows an authenticated local attacker to execute arbitrary commands with root privileges through command injection by uploading a crafted file that bypasses input validation.
Q: My organization uses Cisco Catalyst SD-WAN Manager. What should I do right now?
A: Immediately identify your Cisco Catalyst SD-WAN Manager versions and apply the patches released by Cisco. Consult the Cisco Security Advisory and the NVD entry for CVE-2026-20245 for specific fixed versions. Also, review logs for any signs of the initial access vectors, CVE-2026-20127 or CVE-2026-20182, and look for suspicious file uploads or command execution.
Q: Why are network edge devices like SD-WAN managers such attractive targets for advanced adversaries?
A: Edge devices are attractive because they provide strategic network visibility and control, often lack comprehensive EDR solutions, and generate limited telemetry for forensic analysis. This combination allows sophisticated threat actors to establish persistent access with a lower risk of detection compared to traditional endpoints, as demonstrated by the anti-forensic techniques observed in this campaign.
