CISCO Security Advisory
Published Date: June 10, 2026
CVE: CVE-2026-20245
Advisory Summary
❗️ High Severity Vulnerability: Cisco Catalyst SD-WAN Privilege Escalation
Cisco has disclosed a critical authenticated privilege escalation vulnerability (CVE-2026-20245) found in the CLI interfaces of Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart), Manager (formerly SD-WAN vManage), and Validator (formerly SD-WAN vBond). This flaw stems from inadequate validation of user-supplied input allowing a local attacker—with existing netadmin privileges—to execute arbitrary root-level commands by uploading crafted files.
⚠️ Exploitation requires the attacker to have netadmin credentials, which may be obtained legitimately or through other vulnerabilities such as CVE-2026-20182 or CVE-2026-20127. Cisco is currently unaware of exploitation via alternative vectors but has observed limited incidents where attackers pushed unauthorized configuration changes to edge devices.
🛡️ Recommended Action:
- Prior to upgrading, collect admin-tech data from all SD-WAN control components using the “request admin-tech” command to preserve forensic evidence.
- After patching, thoroughly audit device logs for indicators of compromise. If signs of intrusion persist, contact Cisco TAC for specialized remediation guidance as simple patching might not fully address a compromised environment.
- There are no effective workarounds available besides upgrading.
This advisory underscores the importance of tightly controlling netadmin credentials and maintaining vigilant monitoring in SD-WAN environments, given the elevated privileges that can be gained through this vulnerability.
-WAN -2026-20245
Reference: Vendor Advisory