Cisco SD-WAN zero-day: Catalyst SD-WAN Manager patch promised, exploitation at least a week

Cisco just put sysadmins in the crosshairs again: a high-severity Cisco Catalyst SD-WAN Manager vulnerability, tracked as CVE-2026-20245, is under attack and Cisco has not announced when it will patch it. Cisco issued an advisory on Thursday for the Catalyst SD-WAN Manager vulnerability, and the flaw is being exploited for at least the last week, according to the reporting. The problem is a validation error, where the software fails to properly validate user-supplied input.

Here is the part that matters for leadership and incident response teams: an authenticated, local attacker can exploit CVE-2026-20245 by uploading a specially crafted file. From there, they can escalate privileges and execute commands with root privileges. Cisco says the vulnerability affects all versions of the SD-WAN software, regardless of device configuration, and across all deployment types, including on-premises, cloud-based, and FedRAMP-certified deployments. In other words, “we are configured differently” is not a strategy here.

Cisco says Switchzilla became aware of attacks against this vulnerability in June, and it gets more specific about what an attacker needs. “To exploit this vulnerability, an attacker must have netadmin privileges on an affected system,” the vendor said. That would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco also says it is not aware of successful exploitation by other methods. The operational implication is uncomfortable but clear: the new zero-day may be gated by access, but credentials are often the weak link in real environments, and the source notes they are “not hard to find (or buy) online.”

Cisco declined to answer The Register’s questions and instead sent a statement via email. Cisco recommends customers upgrade to the fixed software released in May 2026 for CVE-2026-20182 as a protective measure, but it does not give a date for when a patch for CVE-2026-20245 itself will be provided. Cisco’s statement also tells customers needing assistance to contact Cisco TAC. That “patch later” gap is the headline for boards and risk committees, because it creates a timeline problem. Even if exploitation requires netadmin privileges, you still have to assume credentials might already be sitting inside your network, in a shared admin account, an over-permissioned service, a stale credential, or a system exposed to a bad actor.

This incident is not happening in isolation. The Register notes it is the sixth SD-WAN vulnerability listed as under attack since the start of the year, and the second zero-day in two months. In May, Switchzilla disclosed a max-severity “make-me-admin” bug, CVE-2026-20182, affecting Catalyst SD-WAN Controller and Manager, warning attackers had already found and exploited the hole before it issued a patch. A month earlier, America’s lead cyber-defense agency said three Cisco Catalyst SD-WAN Manager bugs, CVE-2026-20128, CVE-2026-20133, and CVE-2026-20122, were under attack, and gave federal agencies just four days to patch. Cisco fixed all three in late February and later warned of attackers abusing two of them in March.

The story stretches further back too. In February, Cisco patched a max-severity improper authentication flaw, CVE-2026-20127, affecting the same SD-WAN software, which prompted a Five Eyes countries’ joint intelligence alert urgently warning defenders to patch it, plus an older SD-WAN vulnerability, CVE-2022-20775, or risk root takeover. At the time, the UK’s lead cyber agency said: “Malicious cyber threat actors are targeting Cisco Catalyst SD-WAN used by organizations globally.” It added that these actors were compromising SD-WANs to add a malicious rogue peer and then perform follow-on actions to achieve root access and maintain persistent access.

And just to keep the pressure on, the source says that while CVE-2026-20245 is not listed as under active exploitation (yet) in every case, Cisco warned on Wednesday about a proof-of-concept exploit for CVE-2026-20230, a critical bug in its Unified Communications Manager that allows attackers to gain root privileges. The second-order takeaway is simple: if your organization runs Cisco SD-WAN and adjacent Cisco infrastructure, your exposure surface is not a single patch checklist. It is a continuing stream of privilege-escalation paths, some requiring credentials and some making the path to root easier than you want.

For executives overseeing uptime, compliance, and audit outcomes, the strategic stake is this: “no patch date” turns a vulnerability from a planned remediation into an active risk management problem. When a root path is on the table and exploitation is already underway, the board question stops being “will we patch?” and becomes “what are we doing right now to reduce the chance our credentials get used against us, and how quickly can we restore safety once the patch finally lands?”