Cisco SD-WAN Zero-Day CVE-2026-20245: Active Exploitation with No Patch Available
Executive Summary
In June 2026, Cisco disclosed CVE-2026-20245, a high-severity zero-day vulnerability in its Catalyst SD-WAN Manager, which was actively exploited in the wild. This flaw allows authenticated attackers with netadmin privileges to upload crafted files and execute arbitrary commands as root, potentially compromising the entire SD-WAN infrastructure. The vulnerability affects all deployment types, including on-premises, Cloud-Pro, Cisco Managed Cloud, and FedRAMP environments. Notably, this marks the seventh SD-WAN zero-day exploited in 2026, highlighting a concerning trend of targeted attacks on Cisco's SD-WAN solutions. Organizations utilizing Cisco SD-WAN should prioritize mitigating this vulnerability by restricting and auditing netadmin accounts, isolating management interfaces, and monitoring for anomalous command executions. (thecybersignal.com)
Why This Matters Now
The active exploitation of CVE-2026-20245 underscores the urgency for organizations to reassess their network security posture, especially concerning SD-WAN deployments. With no patch currently available, immediate action is required to implement interim security measures and monitor for signs of compromise to protect critical infrastructure.
Attack Path Analysis
Attackers exploited a zero-day vulnerability in Cisco Catalyst SD-WAN Manager (CVE-2026-20245) to gain root access. They initially established unauthorized SD-WAN peering connections, likely using previously disclosed authentication bypass vulnerabilities. After gaining access, they changed the default admin account password, logged in to the SD-WAN Manager web interface, and extracted configuration information. They then exploited CVE-2026-20245 by uploading a malicious CSV file, creating a new root-level account named 'troot'. The attackers used anti-forensic tactics to evade detection, including restoring original configurations and deleting evidence of their activities.
Kill Chain Progression
Initial Compromise
Description
Attackers established unauthorized SD-WAN peering connections, likely exploiting authentication bypass vulnerabilities such as CVE-2026-20127 or CVE-2026-20182.
Related CVEs
CVE-2026-20245
CVSS 7.8A command injection vulnerability in the CLI of Cisco Catalyst SD-WAN Controllers allows authenticated local attackers with netadmin privileges to execute arbitrary commands as root by uploading a crafted file.
Affected Products:
Cisco Catalyst SD-WAN Manager – All versions prior to the fixed release
Cisco Catalyst SD-WAN Controller – All versions prior to the fixed release
Cisco Catalyst SD-WAN Validator – All versions prior to the fixed release
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Command and Scripting Interpreter: Unix Shell
Abuse Elevation Control Mechanism: Bypass User Account Control
Valid Accounts: Local Accounts
Indicator Removal on Host: File Deletion
Indicator Removal on Host: Timestomp
Impair Defenses: Disable or Modify Tools
Valid Accounts: Default Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Cisco SD-WAN zero-day exploitation creates critical infrastructure vulnerabilities, enabling privilege escalation and unauthorized network access in telecom service provider environments.
Information Technology/IT
Command injection attacks against SD-WAN managers compromise network segmentation controls, allowing lateral movement and root access across enterprise IT infrastructures.
Financial Services
Zero-day exploitation bypasses authentication controls violating PCI DSS requirements, exposing encrypted traffic flows and enabling data exfiltration in banking networks.
Health Care / Life Sciences
SD-WAN compromise threatens HIPAA compliance through unauthorized configuration changes, compromising patient data protection and encrypted healthcare network communications.
Sources
- Mandiant reveals how Cisco SD-WAN zero-day attacks gained root accesshttps://www.bleepingcomputer.com/news/security/mandiant-reveals-how-cisco-sd-wan-zero-day-attacks-gained-root-access/Verified
- Cisco Security Advisory: Privilege Escalation Vulnerability in Cisco Catalyst SD-WAN Controllershttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzxVerified
- Zero-Day Exploitation of Vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Managerhttps://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-managerVerified
- NVD - CVE-2026-20245https://nvd.nist.gov/vuln/detail/CVE-2026-20245Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to establish unauthorized SD-WAN peering connections would likely have been constrained, reducing the risk of initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges by creating a new root-level account would likely have been constrained, reducing the risk of unauthorized control.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network would likely have been constrained, reducing the risk of further compromise.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish persistent control over the SD-WAN Manager would likely have been constrained, reducing the risk of ongoing unauthorized access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive configuration information would likely have been constrained, reducing the risk of data loss.
The attacker's ability to cover their tracks would likely have been constrained, reducing the risk of undetected malicious activity.
Impact at a Glance
Affected Business Functions
- Network Management
- Data Transmission
- Remote Access
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of network configurations and sensitive data transmitted over the SD-WAN.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit lateral movement and restrict unauthorized access.
- • Enhance East-West Traffic Security to monitor and control internal traffic flows.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into network activities.
- • Establish Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious behaviors promptly.
