← Back to SecLog

Cisco discloses exploited Catalyst SD-WAN Manager zero-day CVE-2026-20245 with no patch yet

Updated: 2026.06.10 9H ago 5 sources
Urgent Patches Threat Actors & APTs Zero-Days & CVEs
Cisco says attackers are exploiting a new zero-day in Catalyst SD-WAN Manager, and affected organizations do not yet have a patch. The flaw, CVE-2026-20245, is a command-injection vulnerability in the command-line interface that lets an authenticated local attacker with netadmin privileges execute arbitrary commands as root by uploading a crafted file. Cisco said exploitation has been limited but observed cases where attackers pushed configuration changes to edge devices, and published indicators of compromise.
Why it matters: Organizations running Cisco Catalyst SD-WAN Manager face an actively exploited flaw that can give attackers full control of the system, with no fix available yet. Defenders should urgently check Cisco's indicators of compromise, restrict and review privileged access, hunt for abuse of related SD-WAN flaws, and prepare to patch as soon as Cisco releases updates.

Sources

CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog Amid Active Exploitation
info@thehackernews.com (The Hacker News) 2026.06.10 92% relevant
This source updates the same Cisco event by saying CISA added CVE-2026-20245 to KEV amid active exploitation, which strengthens the operational urgency for organizations running Catalyst SD-WAN Manager while waiting for a vendor fix and applying available mitigations.
Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available
info@thehackernews.com (The Hacker News) 2026.06.06 99% relevant
This article covers the same underlying event: Cisco's disclosure that CVE-2026-20245 in Catalyst SD-WAN Manager is being exploited in the wild and currently lacks an available fix.
Yet another Cisco SD-WAN 0-day under attack, and no patch in sight
2026.06.05 98% relevant
This article is a direct report on the same event: Cisco's disclosure that CVE-2026-20245 in Catalyst SD-WAN Manager is being exploited in the wild with no patch available. It adds reporting detail that exploitation appears to date back at least a week, that all versions and deployment types including FedRAMP are affected, and that Cisco says attackers would need netadmin access or exploitation of CVE-2026-20182 or CVE-2026-20127.
Cisco warns of unpatched SD-WAN zero-day exploited in attacks
Sergiu Gatlan 2026.06.05 99% relevant
This article covers the same underlying event: Cisco's warning that CVE-2026-20245 in Catalyst SD-WAN Manager is being exploited as a zero-day with no patch available. It adds concrete details on the privilege-escalation path, affected deployment types, Mandiant's role in reporting, the dependency on valid netadmin access or exploitation of CVE-2026-20182/CVE-2026-20127, observed configuration changes pushed to edge devices, and example indicators of compromise in scripts.log.
Cisco Warns of 7th SD-WAN Zero-Day Exploited in 2026
Eduard Kovacs 2026.06.05 100% relevant
This article establishes a distinct new event: Cisco's disclosure of in-the-wild exploitation of CVE-2026-20245 in Catalyst SD-WAN Manager, a separate zero-day from the other Cisco and SD-WAN stories already tracked.
← Back to all stories