Cisco SD-WAN Root Vulnerability Exploited In Wild Execute

A high-severity vulnerability within Cisco’s Catalyst SD-WAN Manager is actively being exploited in the wild, the company has confirmed. Attackers can leverage this flaw to execute arbitrary commands with root privileges.

The issue, tracked as CVE-2026-20245, carries a CVSS score of 7.8 and stems from improper input validation in the system’s command-line interface.

According to Cisco’s advisory, the flaw stems from insufficient sanitization of user-supplied input during the processing of uploaded files.

An authenticated attacker can exploit this weakness by uploading a specially crafted file, which triggers command injection and enables privilege escalation to the root user.

Once root access is obtained, attackers can fully compromise the SD-WAN management plane, manipulate configurations, and potentially impact connected edge devices. The attack requires netadmin-level privileges, meaning the threat is not directly exploitable by unauthenticated actors.

Cisco SD-WAN Vulnerability Exploit

However, Cisco warns that attackers may chain this vulnerability with other known flaws, such as CVE-2026-20182 or CVE-2026-20127, to gain the necessary access.

This significantly increases the risk in real-world environments where credential compromise or chained exploitation is feasible. Cisco’s Product Security Incident Response Team (PSIRT) confirmed that the vulnerability has already been exploited in limited attacks.

In observed cases, threat actors used the flaw to push unauthorized configuration changes to SD-WAN edge devices. This suggests post-exploitation activity aimed at persistence, lateral movement, or traffic manipulation within enterprise networks.

The vulnerability affects all Cisco Catalyst SD-WAN Manager deployments, including on-premises, Cisco SD-WAN Cloud, Cloud-Pro, and government (FedRAMP) deployments.

Systems exposed to the internet are considered at higher risk, especially if management interfaces are accessible externally. At the time of disclosure, Cisco had not released a software patch to address the issue, and no workarounds were available.

The company has advised customers to upgrade to a previously released fixed software version referenced in its May 2026 advisory. However, a dedicated fix for this specific vulnerability is still pending.

Cisco has provided guidance to help organizations detect potential compromise. Administrators are urged to review the scripts.log file located in /var/log/ for suspicious entries.

One example is the execution of commands such as “/usr/bin/vconfd_script_upload_tenant_list.sh” with unexpected file paths, such as malicious CSV uploads.

However, Cisco notes that these log entries may also appear during legitimate operations, making careful analysis essential to avoid false positives.

To support incident response efforts, organizations are strongly advised to collect forensic data using the “request admin-tech” command before applying any upgrades.

This ensures preservation of critical evidence that may help determine the extent of compromise. Cisco also recommends reviewing device configurations and logs after upgrading, as patching alone may not remediate systems that have already been breached.

If indicators of compromise are identified, customers should engage Cisco TAC for guided remediation steps. Simply upgrading affected systems without addressing persistence mechanisms or unauthorized changes may leave networks exposed.

This vulnerability was reported by Mandiant, highlighting ongoing collaboration between vendors and threat intelligence teams in identifying active threats.

Given the active exploitation and lack of immediate fixes, organizations using Cisco SD-WAN should prioritize access control, monitoring, and log analysis to reduce risk while awaiting a permanent patch.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.