Cisco’s SD-WAN Zero-Day Has No Patch.

CVE-2026–20245 is being actively exploited right now. Here is what it is, how it works, and the exact steps your team should take before Monday morning.

By SecureRoot Risk Advisory LLP | secureroot.co | June 8, 2026 | 9 min read

On June 4, 2026, Cisco confirmed what Mandiant had already reported: a zero-day vulnerability in Cisco Catalyst SD-WAN Manager was being actively exploited in the wild. The flaw, tracked as CVE-2026–20245, allows an authenticated attacker to run arbitrary commands as root on the device that controls your entire SD-WAN deployment. There is no patch. There is no workaround.

This is not the first Cisco SD-WAN vulnerability exploited in 2026. It is the seventh. That context matters more than the CVE itself.

What CVE-2026–20245 Actually Is

Cisco Catalyst SD-WAN Manager, formerly called vManage, is the central controller for Cisco's SD-WAN platform. Think of it as the brain. It configures every edge device on your network, manages routing policies, pushes firmware updates and controls traffic flows across branches. Whoever controls vManage, controls your WAN.

CVE-2026–20245 is a command injection vulnerability in the CLI file-upload functionality of that controller. The system fails to properly validate user-supplied input when a file is uploaded. An attacker exploiting this can embed OS commands inside a crafted file, and when the system processes it, those commands execute as root.

The access requirement is netadmin-level privileges. That sounds limiting. It is not, for two reasons covered in the next section.

Every deployment model is affected: on-premises, SD-WAN Cloud-Pro, Cisco Managed Cloud and FedRAMP (Government). There is no safe version to downgrade to. The patch has not shipped as of this writing.

Why "They Need Credentials First" Is Not Reassuring

The most common pushback on CVE-2026–20245 is that it requires authenticated access. That is technically correct and practically misleading.

Two of the six preceding SD-WAN zero-days exploited in 2026 provide unauthenticated paths to netadmin access. CVE-2026–20182, a maximum-severity authentication bypass patched on May 14, 2026, lets an attacker reach admin privileges without valid credentials. CVE-2026–20127, a critical authentication bypass that has been actively exploited since at least 2023, does the same.

If your environment still has either of those unpatched, the credential requirement for CVE-2026–20245 is irrelevant. An attacker chains them.

Even if both are patched, credential theft through phishing, reused passwords or compromised VPN accounts remains the most common initial access vector in enterprise breaches globally. Netadmin credentials are targeted specifically.

The threat actor cluster UAT-8616 has been exploiting Cisco SD-WAN vulnerabilities since at least 2023. Three years of access to enterprise network management planes, running quietly, before the campaign was properly characterised. This is patient, state-linked activity. The kind that does not trip your alerting because it is not moving fast.

The Attack in Four Steps

Understanding the mechanics helps you focus on where to look and what to close.

Step 1

Obtain netadmin access. Through stolen credentials, phishing, or chaining CVE-2026–20182 or CVE-2026–20127 if either is unpatched in your environment.

Step 2

Upload a crafted file. The attacker uploads a file through the CLI interface of vManage. The file appears legitimate. The broken input validation does not detect the embedded payload.

Step 3

Command injection fires. The file is processed by scripts on the system, including vconfd_script_upload_tenant_list.sh. Insufficient input sanitisation allows the embedded shell commands to execute. Privileges escalate to root.

Step 4

Edge devices are compromised. A single vManage instance manages up to 6,000 SD-WAN edge devices. With root on vManage, an attacker can push configuration changes to every router, every branch, simultaneously, in silence. Cisco confirmed it has observed this happening in limited exploitation cases already.

This is not a server compromise. It is a WAN takeover.

The Log File You Need to Check Today

Cisco has provided specific indicators of compromise. Before doing anything else, open a terminal on your vManage host and examine:

LOG FILE TO AUDIT

/var/log/scripts.log

Look for entries containing:

MALICIOUS IOC PATTERN

vconfd_script_upload_tenant_list.sh -cli path /home/admin/[filename].csv vpn 0

Any call to this script that references a CSV file your team did not place in /home/admin/ is a strong indicator of active exploitation. Also look for unexpected files in that directory and for edge device configuration changes pushed outside your normal maintenance windows.

CRITICAL: READ THIS BEFORE YOU PATCH

If your logs show exploitation, installing the future patch will not clean the environment. A compromised system needs incident response and recovery guidance from Cisco TAC. The patch only closes the door. It does not eject whoever is already inside. Generate an admin-tech file before touching anything and preserve it as forensic evidence.

Why This Is Historically Different

Six SD-WAN zero-days before this one. All in 2026. Some older, some fresh. CVE-2026–20127 exploited since 2023, CVE-2026–20133 flagged by CISA, CVE-2026–20128 and CVE-2026–20122 both confirmed exploited, CVE-2026–20182 observed as a zero-day in May, CVE-2022–20775 from 2022 flagged again this year, and now CVE-2026–20245.

This is not a list of accidental bugs. It is the profile of a sustained, targeted campaign against a platform that controls a significant share of enterprise WAN infrastructure globally.

The reason SD-WAN management is such a high-value target is structural. Management-plane compromise does not need to defeat your security controls. It owns the system that configures them. Traffic can be intercepted, rerouted or inspected at the source. Security policies can be quietly disabled. Persistence can be established across thousands of endpoints from one command.

Most enterprise security programmes invest heavily in the data plane, the traffic that flows through the network. The management plane, the systems that control the data plane, gets far less scrutiny. That gap is exactly what this campaign is exploiting.

What to Do Right Now

There is no patch. That does not mean you are without options.

• Check logs first. Before anything else, examine /var/log/scripts.log for the IOC pattern above. If exploitation has already occurred, knowing this before you make changes is essential. You cannot patch your way out of an active compromise.

• Apply the CVE-2026–20182 fix if you have not. Cisco's May 14 advisory for the companion authentication bypass is the best available mitigation for CVE-2026–20245. It eliminates one chaining path. Verify your vManage version against that advisory, do not assume it is applied.

• Audit and reduce netadmin accounts. Check who holds netadmin privileges. Disable any accounts that are not actively used. Enable multi-factor authentication on every account that remains. This raises the cost of the first step in the attack chain.

• Isolate the management plane. If your vManage interface is reachable from the internet or from untrusted internal segments, change that today. Put it behind a dedicated jump host with session logging enabled. This is not a temporary measure tied to this CVE. It is correct architecture.

• Watch Cisco PSIRT for the patch. Subscribe to Cisco's security advisory feed. When the fix for CVE-2026–20245 ships, treat deployment as a scheduled priority with a deadline, not a task that queues behind other work.

Frequently Asked Questions

Does our vManage need to be internet-facing for this to be a risk?

No. The vulnerability requires authenticated access, but authentication can be obtained through internal lateral movement, a compromised VPN account or a breached endpoint. An attacker with a foothold anywhere in your network who can reach the vManage interface can attempt this exploit.

We patched CVE-2026–20182 in May. Are we fully protected?

You have removed one chaining path into CVE-2026–20245, which is meaningful. But the vulnerability itself is still present in all versions, and an attacker with stolen netadmin credentials does not need to chain anything. The CVE-2026–20182 patch is necessary. It is not sufficient on its own.

How do we confirm we were not already compromised?

Start with /var/log/scripts.log and the IOC pattern described above. Check /home/admin/ for unexpected files. Pull the configuration change history on edge devices and look for changes outside normal maintenance windows. If anything looks unusual, engage your incident response team before drawing conclusions. A more thorough forensic review may be needed.

Will installing the future patch fix a compromise that happened before it ships?

No. Cisco has explicitly stated this. A patch removes the vulnerability from the software. It does not remove persistence mechanisms, modified configurations or backdoor accounts an attacker may have installed after achieving root. A compromised environment needs incident response first, then the patch. Both, in that order.

Get a Network Security Assessment from SecureRoot

Not sure if your SD-WAN environment is exposed?

SecureRoot conducts rapid network security assessments and incident response engagements for enterprises across India, with specific experience in SD-WAN and management-plane security.

Schedule a 30-minute scoping call at secureroot.co/Contact and we will provide an initial exposure snapshot within two working days.

SecureRoot Risk Advisory LLP provides Vulnerability Assessment and Penetration Testing (VAPT), GRC, SOC and incident response services to mid-market and enterprise organisations across India. For enquiries, visit secureroot.co.

#SecureRoot #ZeroDay #Cisco #SDWAN #NetworkSecurity #CVE202620245 #ThreatIntelligence #CyberSecurity #IncidentResponse #VAPT #InfoSec