On Thursday, Cisco warned of a high-severity, unpatched zero-day within the Cisco Catalyst SD-WAN Supervisor (tracked as CVE-2026-20245) actively exploited in assaults enabling root privilege escalation.
The zero-day flaw impacts all deployment sorts, together with On-Prem Deployment, Cisco SD-WAN Cloud-Professional, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Authorities (FedRAMP).
In a Thursday advisory, Cisco mentioned the problem stems from inadequate validation of user-supplied enter, and it could possibly enable native attackers with low privileges to execute arbitrary instructions as root.
“An attacker might exploit this vulnerability by importing a crafted file to the affected system. A profitable exploit might enable the attacker to carry out command injection assaults on an affected system and elevate their privileges as the foundation consumer,” the corporate defined.
“To use this vulnerability, the attacker should have netadmin privileges on the affected system. This may require legitimate credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco is just not conscious of profitable exploitation by different strategies,” it added. “Cisco is just not conscious of profitable exploitation by different strategies. Cisco has noticed restricted circumstances the place the exploitation of this bug resulted in a configuration change pushed to edge units.”
Previously often known as SD-WAN vManage, this community administration software program helps admins monitor and handle as much as 6,000 Catalyst SD-WAN units from a single dashboard.
Cisco’s Product Safety Incident Response Staff (PSIRT) grew to become conscious of CVE-2026-20245 exploitation in June after Google Cloud cybersecurity subsidiary Mandiant reported the flaw however didn’t share any particulars.
Nevertheless, it shared indicators of compromise (IOCs) warning admins to examine their SD-WAN /var/log/scripts.log file for makes an attempt to add tenant configuration information to vSmart controllers to escalate privileges by means of official instructions, as within the following instance:
Apr 15 09:44:57 vmanage vScript: Tenant listing add per vsmart serial quantity: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /residence/admin/malicious.csv vpn 0
“For assist figuring out if a Cisco Catalyst SD-WAN Supervisor has been compromised, prospects could open a case with the Cisco TAC,” the corporate added, advising admins first to gather admin-tech information to assist with the assessment.
Safety patches not but out there
Final month, Cisco additionally tagged a most severity Catalyst SD-WAN Controller authentication bypass flaw (CVE-2026-20182) as actively exploited as a zero-day to achieve administrative privileges on unpatched units.
Whereas Cisco has not but launched patches for CVE-2026-20245, it suggested prospects to improve to the software program mounted for CVE-2026-20182 on Could 14.
In February, Cisco patched one other Catalyst SD-WAN Supervisor data disclosure safety flaw (CVE-2026-20133), which CISA flagged as actively exploited in late April, and, two weeks later, warned that two extra flaws (CVE-2026-20128 and CVE-2026-20122) had been being abused within the wild.
In March, it additionally addressed and flagged a essential authentication-bypass vulnerability (CVE-2026-20127) that has been exploited in zero-day assaults since not less than 2023.
During the last a number of years, CISA has tagged 90 Cisco vulnerabilities as abused within the wild, 4 of them in Cisco Catalyst SD-WAN Supervisor and 6 others exploited by ransomware operations.
Safety groups log 54% of profitable assaults and alert on simply 14%. The remaining transfer by means of your surroundings unseen.
The Picus whitepaper reveals how breach and assault simulation checks your SIEM and EDR guidelines so threats cease slipping by detection.
