Cisco warned Thursday that attackers are actively exploiting a new flaw in its Catalyst SD-WAN Manager, the console administrators use to run as many as 6,000 network devices from a single dashboard. The company has not released a patch.
The vulnerability, CVE-2026-20245, has a CVSS score of high (7.8). It lets an attacker who already holds netadmin access upload a crafted file and execute commands as root, giving full control of the system. Netadmin is the highest administrative role within the SD-WAN Manager application — but that’s the wrong layer to find reassuring. It’s admin inside the application, not on the operating system hosting it.
This flaw gives an attacker OS control (root), which sits above netadmin. From there the adversary can plant backdoors, disable logging, and cover their tracks. And netadmin itself isn’t hard to reach: Cisco says it can be obtained with stolen credentials or by chaining the two earlier authentication-bypass bugs, both rated 10.0 and both already under attack.
Cisco said it is not aware of successful exploitation via other methods. “Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices,” Cisco said.
The bug stems from insufficient validation of user-supplied input and affects every deployment type — on-premises installs, Cisco-managed cloud, and the FedRAMP-authorized version used by U.S. government agencies.
Cisco said exploitation requires either valid credentials or the chaining of two earlier critical flaws, CVE-2026-20127 and CVE-2026-20182, both rated with a CVSS score of 10.0 and both landing on CISA’s Known Exploited Vulnerability list.
That makes this the third SD-WAN Manager weakness Cisco has disclosed in 2026, after a February information-disclosure bug and a May authentication bypass. The pieces fit together: bypass authentication with the older flaws, then escalate to root with the new one.
A February joint advisory from international cyber agencies, including CISA and the UK’s NCSC, warned that state-sponsored actors are actively exploiting these vulnerabilities to deploy rogue network peers and establish persistent, root-level access across corporate SD-WAN environments.
Cisco’s Talos team has tied exploitation of the related bugs to a threat actor it tracks as UAT-8616. In the limited cases it has observed, Cisco said successful attacks pushed unauthorized configuration changes down to SD-WAN edge devices — a quiet way to reshape how a network routes traffic without tripping obvious alarms.
There is no workaround. Cisco’s interim guidance is to apply the fix it shipped May 14 for the authentication-bypass flaw, which closes the easiest path to the netadmin access this attack needs. Administrators should also check Cisco’s published indicators of compromise for signs they have already been hit.
