Cisco disclosed the seventh Catalyst SD-WAN zero-day exploited in 2026 — CVE-2026-20245, a command injection flaw in Cisco Catalyst SD-WAN Manager that allows an attacker with netadmin privileges to upload specially crafted files and execute arbitrary commands as root. No patch is available and Cisco has not identified a workaround.
Seven Exploited Catalyst SD-WAN Vulnerabilities Signal Sustained Threat Actor Interest
Mandiant (Google Cloud) discovered CVE-2026-20245 while observing limited exploitation in the wild and reported it to Cisco. Cisco confirmed the activity and disclosed that in the cases it had observed, attackers had used their elevated position to push configuration changes to edge devices managed by the compromised SD-WAN Manager. That capability extends the attack’s blast radius well beyond the management platform: an adversary with root access to a Catalyst SD-WAN Manager can alter routing behavior, inject backdoor connectivity paths, and modify security enforcement policies across every edge device in the organization’s WAN architecture — potentially spanning dozens or hundreds of branch locations.
The prior six zero-days confirmed exploited in 2026 include CVE-2026-20182 (patched in May), CVE-2026-20127, CVE-2026-20128, CVE-2026-20122, CVE-2026-20133, and CVE-2022-20775. Seven actively exploited vulnerabilities in a single Cisco product line within one calendar year points to deliberate, sustained attacker investment in SD-WAN infrastructure — a class of network control plane that, when compromised at root level, provides persistent visibility into and control over an organization’s entire wide-area connectivity.
How CVE-2026-20245 Chains with Prior Cisco SD-WAN Flaws CVE-2026-20182 and CVE-2026-20127
CVE-2026-20245 requires netadmin privileges as an exploitation precondition, and Cisco’s advisory explicitly names two earlier SD-WAN vulnerabilities — CVE-2026-20182 and CVE-2026-20127 — as mechanisms for obtaining that access. The result is a documented chained attack path: an adversary who established initial access to a Catalyst SD-WAN Manager through one of those prior flaws and maintained persistence can proceed directly to root-level command execution through CVE-2026-20245 without requiring any additional external foothold.
Cisco’s characterization of the exploitation outcome as “configuration changes pushed to edge devices” is significant for detection: attacker activity is designed to appear as legitimate administrative operations. In environments without strict change management baselines, scheduled maintenance windows, and configuration drift monitoring, unauthorized edge device changes introduced through this exploitation pathway may not generate distinct security alerts.
All Deployment Types Affected, Including FedRAMP: No Patch Available
Every Catalyst SD-WAN Manager deployment architecture falls within the advisory’s scope: On-Premises, SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and SD-WAN for Government (FedRAMP). Cisco has not published a workaround and states that a fix will be included in a future Catalyst SD-WAN Manager release without specifying a timeline.
Detection Guidance While Awaiting a Cisco Catalyst SD-WAN Manager Fix
Cisco directs administrators to review /var/log/scripts.log for suspicious tenant configuration upload attempts — the log source that captures the file upload component of the exploitation chain. Because the confirmed exploitation outcome is configuration changes on edge devices rather than solely activity on the SD-WAN Manager itself, comprehensive detection requires auditing edge device change histories against known maintenance windows. Configuration modifications that cannot be attributed to approved administrative activity should be treated as potential indicators of compromise.
Federal and Regulated Environments: CVE-2026-20245 Reporting Obligations
Organizations running Catalyst SD-WAN in FedRAMP, FISMA, or other regulated frameworks should evaluate whether the combination of confirmed active exploitation and the absence of a patch or workaround triggers mandatory reporting or incident response requirements under their authority to operate conditions. The explicit inclusion of SD-WAN for Government as an affected deployment type places this vulnerability within scope for federal civilian and defense network operators, where authority to operate conditions often specify notification thresholds tied to unmitigated critical and high-severity vulnerabilities under active exploitation.
The seven-zero-day accumulation in Cisco Catalyst SD-WAN across 2026 makes a compelling case for accelerated network segmentation reviews: organizations that have not isolated their SD-WAN Manager administrative interfaces from general network access should treat that separation as an immediate operational priority rather than a roadmap item.
