Cisco has warned of an unpatched high-severity zero-day vulnerability (CVE-2026-20245) in the Catalyst SD-WAN Manager that is being actively exploited to gain root privilege escalation. The flaw stems from insufficient input validation, allowing attackers with low privileges to perform command injection by uploading crafted files. The vulnerability impacts various deployment models, including On-Prem, Cloud-Pro, and Government (FedRAMP) instances.
To successfully exploit this vulnerability, an attacker must first obtain netadmin privileges, potentially through other known flaws like CVE-2026-20182 or CVE-2026-20127. Cisco has observed limited instances where this bug resulted in unauthorized configuration changes on edge devices. While patches are not yet available, the company has provided indicators of compromise (IOCs) and advised administrators to monitor script logs for suspicious file uploads.
Top comments (0)