CISCO Security Advisory
Published Date: Not specified
CVE: CVE-2026-20245
Advisory Summary
📅 Published Date: June 8, 2026
A critical vulnerability (CVE-2026-20245) has been identified in the CLI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). This flaw enables an authenticated local attacker with netadmin privileges to execute arbitrary commands as the root user by uploading a specially crafted file, resulting in command injection and privilege escalation.
- Exploitation requires valid credentials or prior exploitation of related vulnerabilities (CVE-2026-20182 or CVE-2026-20127).
- Limited exploitation cases already observed, including unauthorized configuration changes to edge devices.
- No software patches are concurrently released for this particular issue; no workarounds exist.
- Cisco strongly advises immediate collection of “admin-tech” logs from all control components before upgrading to preserve indicators of compromise.
- After upgrading, verify device logs thoroughly for signs of compromise. If exploitation is confirmed, further remediation steps from Cisco TAC will be necessary since patching alone will not suffice.
- Refer to Cisco’s Catalyst SD-WAN Security Advisory published May 14, 2026, for fixed software versions and detailed guidance.
⚠️ Actionable Recommendations:
1. Execute the request admin-tech command on all control components to capture forensic data.
2. Upgrade to the fixed software release at the earliest possible time.
3. Thoroughly audit device configurations and system logs post-upgrade.
4. Contact Cisco TAC immediately if indicators of compromise are detected for tailored remediation.
This vulnerability underscores the critical need for privileged access controls and prompt patch management in SD-WAN environments to prevent unauthorized root-level access and potential network-wide impacts.
-WAN
Reference: Vendor Advisory