{"id":1194,"date":"2026-06-06T05:31:39","date_gmt":"2026-06-06T05:31:39","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=1194"},"modified":"2026-06-06T05:31:39","modified_gmt":"2026-06-06T05:31:39","slug":"cisco-catalyst-sd-wan-manager-cve-2026-20245-flaw-actively-exploited-no-patch-available","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=1194","title":{"rendered":"Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited \u2013 No Patch Available"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Jun 06, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Network Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhYckKvOFV_Xz1o-nUKCcjlMQmOxdFC6FMzIjMnE4GSPPJ9kQxDLqOmK9WhofViemB5grKkMJDV_KPnQAuLci5RtV3sCOei2Fzk31qOdIk3Jeroj_6NVxoa0VX0Bw5nwwzffBp4o3hoDysRntjOxTR7akhfDV_1ZIpmcQKFMsxdvb00KYypSv7daJTqYHXb\/s1700-e365\/cisco-exploit.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>Cisco has warned that a high-severity security flaw impacting Catalyst SD-WAN Manager has come under active exploitation.<\/p>\n<p>The vulnerability, tracked as <b>CVE-2026-20245<\/b>, carries a CVSS score of 7.8 out of a maximum of 10.0. It affects the following deployment types &#8211;<\/p>\n<ul>\n<li>On-Prem Deployment<\/li>\n<li>Cisco SD-WAN Cloud-Pro<\/li>\n<li>Cisco SD-WAN Cloud (Cisco Managed)<\/li>\n<li>Cisco SD-WAN for Government (FedRAMP)<\/li>\n<\/ul>\n<p>\u00abA vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system,\u00bb Cisco <a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-sdwan-privesc-4uxFrdzx\">said<\/a> in an advisory.<\/p>\n<p>The network security company said the vulnerability is the result of insufficient validation of user-supplied input, which an attacker could exploit by uploading a crafted file to the affected system. This, in turn, could permit the attacker to perform command injection attacks and elevate their privileges as the root user.<\/p>\n<p>\u00abTo exploit this vulnerability, the attacker must have netadmin privileges on the affected system,\u00bb Cisco added. \u00abThis would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco is not aware of successful exploitation by other methods.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-threat-report-m\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhFlTC7RrRZGiFAgASS0noWSL0qsQGFVp8-Hvuw9yp3X3VKRuTcb5SsPX09wJzrdIM6pu1_5lS4EeZp7Sx4iYBpNJkrGnpr08yyaS1HQ5_5TxaCsP6O0OtHNuOkesn6CbNjao1GPulCJk-uljYMSfMZfBYNrngpe669t7jlRn1FqiEnXhsFD1WVkpaYIVgh\/s728-e100\/ai-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>CVE-2026-20182 (CVSS score: 10.0) was disclosed last month by Rapid7, describing it as an authentication bypass that could enable unauthenticated, remote attackers to obtain administrative privileges on susceptible systems. It&#8217;s also assessed to be similar to CVE-2026-20127, another case of authentication bypass impacting the same component.<\/p>\n<p>Both vulnerabilities have been exploited in the wild as zero-days, with a threat activity cluster dubbed UAT-8616 linked to the abuse of CVE-2026-20127 as far back as 2023.<\/p>\n<p>In its advisory released Thursday, Cisco said it observed limited cases where the exploitation of CVE-2026-20245 resulted in a configuration change pushed to edge devices. It credited Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan with discovering and reporting the new vulnerability. It is unknown who is behind the latest exploitation efforts.<\/p>\n<p>There are currently no patches or mitigations available for CVE-2026-20245. Customers are recommended to upgrade their SD-WAN software to ensure they have applied the fixes released for CVE-2026-20182 on May 14, 2026.<\/p>\n<p>Cisco has also warned that internet-exposed systems are at heightened risk of compromise. To look for indicators of compromise (IoCs), users are advised to check the \u00ab\/var\/log\/scripts.log\u00bb file for entries like below &#8211;<\/p>\n<pre><code>Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: \/usr\/bin\/vconfd_script_upload_tenant_list.sh -cli path \/home\/admin\/malicious.csv vpn 0\n\nJun  5 13:06:39 Manager vScript: vSmart upload serial numbers: \/usr\/bin\/vconfd_script_upload_vsmart_serial_numbers.sh -cli path \/home\/admin\/vsmart_serial_numbers_safe.csv\n\nJun  5 13:08:47 Validator vScript: ZTP upload chassis numbers: \/usr\/bin\/vconfd_script_upload_chassis_number_file.sh -cli path \/home\/admin\/chassis_numbers_safe.csv<\/code><\/pre>\n<p>CVE-2026-20245 is the seventh flaw impacting Cisco SD-WAN to be flagged as active exploited this year alone after CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, and CVE-2022-20775.<\/p>\n<p>The disclosure comes days after Cisco addressed another high-severity security flaw in Unified Communications Manager (CVE-2026-20230, CVSS score: 8.6), for which it said a proof-of-concept exploit code is public. There is no evidence that the vulnerability has come under active exploitation.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Jun 06, 2026Vulnerability \/ Network Security Cisco has warned that a high-severity security flaw impacting Catalyst SD-WAN Manager has come under active exploitation. The vulnerability, tracked as CVE-2026-20245, carries&hellip;<\/p>\n","protected":false},"author":1,"featured_media":1195,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[201,472,124,1936,128,70,473,348,125],"class_list":["post-1194","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-actively","tag-catalyst","tag-cisco","tag-cve202620245","tag-exploited","tag-flaw","tag-manager","tag-patch","tag-sdwan"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1194","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1194"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1194\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/1195"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}