What is Cisco Catalyst SD-WAN Manager?
Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) is the centralized management, orchestration, and analytics plane for Cisco's SD-WAN fabric. It controls all edge router configuration, policy deployment, and monitoring across branch-office and WAN deployments — making it one of the highest-value targets in an enterprise network. Compromise of the SD-WAN Manager provides an attacker with visibility into and control over the entire WAN topology, including the ability to reroute traffic, exfiltrate routing configurations, or push malicious policy changes to all connected edge devices.
Overview
CVE-2026-20245 is a privilege escalation vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, the Catalyst SD-WAN Controller (vSmart), and the Catalyst SD-WAN Validator (vBond). An authenticated attacker with netadmin-level access can supply a crafted file to the system that contains unsanitized shell metacharacters, which are then processed in a privileged context — resulting in arbitrary OS command execution as root. Mandiant observed this vulnerability actively exploited as part of a chain with authentication bypass zero-days (CVE-2026-20182 and the older CVE-2026-20127) that first obtained the netadmin session required to trigger the privilege escalation.
Affected Versions
| Product | Vulnerable Versions | Fixed Version |
|---|---|---|
| Catalyst SD-WAN Manager | ≤ 20.12.7.1, ≤ 20.15.4.4, ≤ 20.15.5.2, ≤ 20.18.3, ≤ 26.1.1.1 | 20.18.3.1, 26.1.1.2 |
| Catalyst SD-WAN Controller (vSmart) | Same version ranges | Same fixed versions |
| Catalyst SD-WAN Validator (vBond) | Same version ranges | Same fixed versions |
Patches for 20.12.x and 20.15.x branches were flagged as "future release" at time of advisory publication.
Technical Details
The root cause is insufficient encoding and escaping of user-controlled input passed to a privileged system-level process in the SD-WAN Manager CLI (CWE-116: improper encoding or escaping of output). An authenticated netadmin user can supply a crafted file containing shell metacharacters (e.g., backticks, semicolons, pipes, or command substitution sequences) that are interpolated without sanitization into a command executed with root privileges.
Real-world exploitation chain observed by Mandiant:
- Attacker exploits CVE-2026-20182 (auth bypass zero-day, May 2026) or CVE-2026-20127 (auth bypass, exploited since 2023) to obtain a netadmin session without valid credentials.
- With the netadmin session, the attacker uploads a crafted file to trigger CVE-2026-20245, achieving root-level OS command execution on the SD-WAN Manager appliance.
- Post-compromise: edge device configuration changes observed, consistent with network reconnaissance or persistent backdoor installation.
Attack characteristics:
- Attack vector: Local (requires a valid session — but auth bypass chain eliminates this prerequisite in practice)
- Privileges required: Low (netadmin)
- No workarounds exist — patching or network isolation are the only effective mitigations
Discovery
Reported by Mandiant (Google Cloud) researchers: Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan.
Exploitation Context
Actively exploited as a zero-day prior to patch availability, observed as part of a multi-stage chain with authentication bypass CVEs. Cisco's advisory noted "limited" exploitation and recommended preserving forensic state (request admin-tech) before patching. Observed impact included unauthorized edge device configuration changes. CISA added to KEV June 9, 2026, with a June 23 patch deadline for federal agencies.
Remediation
- Upgrade to Cisco Catalyst SD-WAN Manager 20.18.3.1 or 26.1.1.2 immediately. Monitor Cisco's advisory for patches on 20.12.x and 20.15.x branches.
- Before upgrading, run
request admin-techon all SD-WAN control components to capture forensic logs; this snapshot may be essential for incident investigation. - Also patch CVE-2026-20182 and CVE-2026-20127 — eliminating the authentication bypass prerequisites disrupts the exploit chain even before CVE-2026-20245 is patched.
- Restrict netadmin access to known trusted source IPs using ACLs on the management interface; enforce MFA for all administrative accounts.
- Network isolation: Apply network-level controls to prevent untrusted access to the SD-WAN Manager management plane.
- Review IoCs: Cisco's advisory includes specific log entry signatures for detecting prior exploitation — check logs before and after patching.
- There are no configuration workarounds for CVE-2026-20245 itself — patching or isolation are the only effective mitigations.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-20245 |
| Vendor / Product | Cisco — Catalyst SD-WAN Manager |
| NVD Published | 2026-06-04 |
| NVD Last Modified | 2026-06-10 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-116 find similar ↗ |
| CISA KEV Added | 2026-06-09 |
| CISA KEV Deadline | 2026-06-23 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-06-04 | CVE published; Cisco Security Advisory released |
| 2026-06-09 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-06-10 | NVD last modified; patches begin rolling out (20.18.3.1, 26.1.1.2) |
| 2026-06-23 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Cisco Security Advisory — cisco-sa-sdwan-privesc-4uxFrdzx | Vendor Advisory |
| NVD — CVE-2026-20245 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |