CISCO Security Advisory
Published Date: June 5, 2026
CVE: CVE-2026-20245
Advisory Summary
⬢ Cisco Catalyst SD-WAN Manager Privilege Escalation Vulnerability – Critical Alert ⬢
A high-severity vulnerability (CVE-2026-20245) has been identified in the CLI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). This flaw allows an authenticated local attacker with netadmin privileges to execute arbitrary commands as root by uploading a crafted file to the system. The root cause is insufficient validation of user-supplied input, enabling command injection and privilege escalation.
- Exploitation requires netadmin privileges, which implies valid credentials or prior exploitation of related vulnerabilities (CVE-2026-20182 or CVE-2026-20127).
- Cisco has recorded limited cases where attackers used this vulnerability to push unauthorized configuration changes to edge devices.
- No workaround exists; software updates that address this issue are not yet released.
- Customers must collect diagnostic data using the request admin-tech command from all control components before upgrading. This helps preserve potential indicators of compromise.
🛡️ Recommended Actions:
- Retain and review logs meticulously before and after upgrade for indicators of compromise.
- If compromise is confirmed, Cisco TAC will provide specific remediation guidance beyond the software update.
- Verify edge device configurations for unauthorized changes post-exploitation attempts.
This advisory underscores the importance of timely patch management and monitoring of privileged accounts within SD-WAN environments. Organizations using Cisco Catalyst SD-WAN Manager should prioritize this update to mitigate risks of severe unauthorized control of their networks.
🔗
-WAN -2026-20245
Reference: Vendor Advisory