Cisco SD-WAN 7th Zero-Day 2026: CVE-2026-20245 Exploited, No Fix

Cisco disclosed CVE-2026-20245 on June 5, 2026 — the seventh SD-WAN zero-day the company has disclosed in 2026 — with confirmation that exploitation has already occurred in the wild. The vulnerability allows an authenticated attacker with netadmin privileges to upload a crafted file to Cisco Catalyst SD-WAN Manager and escalate to root command execution on the device. No patch is available. No workaround has been identified. Every Cisco Catalyst SD-WAN deployment type is affected, including FedRAMP cloud environments used by US federal agencies.

That "seventh of 2026" number matters more than the individual CVE. It means attackers have spent the entire year systematically mapping and exploiting the Cisco SD-WAN attack surface — and that Cisco's patching cycle has not kept pace with the research being done against it.

What CVE-2026-20245 Does

CVE-2026-20245 is a command injection vulnerability in the command-line interface of Cisco Catalyst SD-WAN Manager. An attacker who has already obtained netadmin-level credentials can upload a specially crafted file through the CLI interface. The file triggers a command injection that executes arbitrary commands with root privileges on the underlying operating system.

Root access on an SD-WAN Manager is not a limited-scope compromise. SD-WAN Manager is the control plane for the entire enterprise network fabric it manages. With root on the Manager, an attacker can push configuration changes to all connected edge devices, modify routing policies, intercept or redirect traffic flows, extract VPN keys, and disable or reconfigure security policies across the enterprise network.

Cisco PSIRT learned of active exploitation in June 2026 — the disclosure being accelerated by the fact that exploitation was already underway, not discovered after patching. The confirmed impact includes at least some instances where configuration changes were pushed to edge devices from the compromised Manager.

The Attack Chain: How Attackers Are Building to CVE-2026-20245

The vulnerability requires netadmin credentials to trigger. That authentication requirement is less protective than it sounds, because two prior 2026 Cisco SD-WAN CVEs — CVE-2026-20182 and CVE-2026-20127 — provide a path to netadmin-level access from lower privilege levels.

The attack chain is: initial access to the SD-WAN environment (phishing, VPN credential theft, or third-party compromise) → exploit CVE-2026-20182 or CVE-2026-20127 to gain netadmin → exploit CVE-2026-20245 to reach root on SD-WAN Manager → push malicious configuration changes to all edge devices.

This three-step chain is characteristic of sophisticated actors who have done sustained research on a specific product. Opportunistic attackers do not build multi-step chains through enterprise network control software. The pattern suggests a threat actor with a specific objective: persistent access to large enterprise network infrastructure, not opportunistic malware deployment.

Who Is Affected: Every Deployment Type

Cisco's advisory confirms CVE-2026-20245 affects all Cisco Catalyst SD-WAN Manager deployment models:

On-premises installations — standard enterprise deployments running SD-WAN Manager within corporate data centers.

Cloud-Pro deployments — Cisco's cloud-hosted SD-WAN Manager offering, where Cisco manages the infrastructure but customers control the configuration.

Cisco Managed Cloud — fully managed service where Cisco operates the SD-WAN management plane on behalf of the customer.

FedRAMP environments — US federal government agencies using Cisco Catalyst SD-WAN under FedRAMP authorization. This is the highest-impact category because FedRAMP deployments underpin classified and sensitive unclassified federal network infrastructure.

There is no exempted deployment model. Every organization running Cisco Catalyst SD-WAN Manager should treat their environment as potentially compromised until a patch is available and applied.

No Patch, No Workaround: What Cisco Is Saying

Cisco confirmed there is no patch available as of the disclosure date, June 5, 2026. Cisco also confirmed no workaround exists that fully mitigates the vulnerability. Cisco's guidance centers on hardening the attack surface while a fix is developed:

Restrict CLI access to SD-WAN Manager to only trusted management network segments, not from the general corporate network. Audit all netadmin accounts for legitimacy and rotate credentials for any account that may have been exposed in prior incidents. Monitor CLI session logs for file upload activity, particularly uploads that did not originate from a known administrator workstation. Review edge device configuration history for changes that were not initiated by a known administrator session.

These steps reduce the attack surface but do not close the vulnerability. A determined attacker who has already obtained netadmin credentials through a prior compromise can still exploit CVE-2026-20245 if the CLI is accessible.

Hardening Steps While You Wait for a Fix

For network and security teams managing Cisco Catalyst SD-WAN environments, the practical actions to take now fall into four categories.

Network segmentation: Move SD-WAN Manager interfaces to a dedicated out-of-band management network. If the management plane is only reachable from a jump server or bastion host, the file upload exploitation path narrows significantly. Most SD-WAN Manager deployments have management reachable from a broad network segment — that needs to change immediately.

Credential hygiene: Audit every account with netadmin privilege on SD-WAN Manager. Netadmin is not a common access level — if you have more than five or ten accounts at that level, the footprint is larger than it needs to be. Revoke netadmin on any account that does not require it for active operations. Rotate credentials on the accounts that remain.

Log monitoring: Enable and forward CLI audit logs from SD-WAN Manager to your SIEM. Specifically build detection rules for: file uploads during CLI sessions, netadmin logins from new source IPs, and configuration pushes to edge devices outside of your normal change window.

FedRAMP-specific: If you operate under FedRAMP, the incident handling procedures require notification of the Authorizing Official (AO) when a KEV-listed or actively exploited vulnerability is disclosed for an in-scope system. Begin that notification process now even without confirmed exploitation in your environment.

Our Analysis: What Seven Zero-Days in One Year Tells You About the SD-WAN Attack Surface

Seven disclosed zero-days in six months against a single product line is not a coincidence or bad luck. It is evidence of sustained, targeted vulnerability research.

SD-WAN control planes are extremely high-value targets for nation-state actors and advanced persistent threat groups. They are the single administrative interface for large enterprise and government network infrastructure. Compromise at the SD-WAN Manager level gives the same visibility as being inside every network segment simultaneously — it is the most efficient path to persistent enterprise-wide network access.

The pattern we are seeing with Cisco SD-WAN in 2026 mirrors what happened with Pulse Secure VPN in 2020-2021 and Citrix ADC in 2019-2020. A product category becomes known as a soft target; researchers and threat actors pile in; the vendor discloses vulnerabilities faster than they can patch them because the pressure is asymmetric. Attackers need to find one working chain. Cisco needs to close every path.

For organizations with Cisco SD-WAN, the strategic decision is now whether to treat this as a patchable vulnerability backlog or a product-level risk worth addressing through vendor diversification. Seven zero-days in one year is the kind of track record that changes procurement conversations.

Key Takeaways

• CVE-2026-20245 — command injection in Cisco Catalyst SD-WAN Manager CLI enabling root access via crafted file upload
• 7th SD-WAN zero-day of 2026 — systematic exploitation pattern, not an isolated incident
• No patch, no workaround — Cisco confirmed active exploitation before disclosure was even completed
• All deployment types affected — on-premises, Cloud-Pro, Cisco Managed Cloud, and FedRAMP environments
• Attack chain: CVE-2026-20182/20127 to netadmin → CVE-2026-20245 to root → edge device configuration compromise
• For DevOps and network teams: segment SD-WAN Manager to out-of-band management networks, audit netadmin accounts, and build CLI file upload detection rules immediately
• What to watch: Cisco patch release timeline and whether CISA adds CVE-2026-20245 to the Known Exploited Vulnerabilities catalog, which would trigger federal agency mandatory patch deadlines

Sources

• Cisco Security Advisory: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability (cisco-sa-sdwan-rpa-EHchtZk)
• BleepingComputer: Cisco warns of unpatched SD-WAN zero-day exploited in attacks (June 2026)
• SecurityWeek: Cisco Warns of 7th SD-WAN Zero-Day Exploited in 2026
• Help Net Security: Cisco SD-WAN 0-day exploited, no patch available — CVE-2026-20245 (June 5, 2026)
• SOC Prime: CVE-2026-20245 analysis and detection rules