Seven Zero-Days in One Year: Cisco's SD-WAN Stack Is in the Crosshairs
On June 5, 2026, Cisco disclosed CVE-2026-20245 — a new zero-day vulnerability in Cisco Catalyst SD-WAN Manager that is already being actively exploited in the wild, with no fix currently available. This marks the seventh actively exploited zero-day in Cisco's SD-WAN suite since January 2026. That cadence should concern every network and security leader.
A Privilege Escalation Flaw With No Safety Net
CVE-2026-20245 stems from insufficient input validation in the command-line interface (CLI) of Cisco Catalyst SD-WAN Manager. An attacker holding netadmin privileges can upload a malicious file to the system and execute arbitrary commands as root — the highest level of control on a Linux system. The CVSS score is 7.8 out of 10.
The vulnerability affects all deployment models: on-premises installations, Cloud-Pro environments, Cisco-managed platforms, and FedRAMP government deployments. No customer segment is exempt. Cisco has already confirmed active exploitation, including unauthorized configuration changes pushed to edge devices — proof that attackers are not merely observing; they are actively manipulating network traffic flows.
A Two-Stage Attack, Precisely Orchestrated
What makes CVE-2026-20245 especially dangerous is its role in a broader exploitation chain. The flaw requires authenticated access with netadmin rights — a prerequisite attackers have already shown they can satisfy by chaining other SD-WAN vulnerabilities.
CVE-2026-20182, disclosed in May 2026 with a maximum CVSS score of 10, allowed an unauthenticated attacker to bypass authentication entirely and gain administrative access. It was exploited by a threat actor tracked as UAT-8616, described by Cisco Talos as a "highly sophisticated" group active since at least 2023. In those attacks, the group added SSH keys, modified NETCONF configurations, and escalated to root privileges.
CVE-2026-20245 — discovered by Mandiant researchers — fits directly into that playbook: gain initial access through an authentication bypass, then consolidate control via privilege escalation. This is the hallmark technique of advanced persistent threat (APT) actors targeting critical network infrastructure.
No Patch, No Workaround
The situation is made worse by the complete absence of a remediation path. No patch is currently available. Cisco has promised a fix in "a future release" without committing to a timeline, and no documented workaround exists.
In the meantime, Cisco advises IT teams to:
- Review SD-WAN Manager logs for suspicious activity or unauthorized configuration changes.
- Collect diagnostic logs using the
request admin-techcommand before initiating any update or in-depth investigation. - Contact Cisco TAC (Technical Assistance Center) immediately if compromise is suspected, for an assessment tailored to your specific environment.
SD-WAN: A High-Value Attack Surface
The steady accumulation of these incidents confirms a structural reality: SD-WAN platforms have become primary targets for sophisticated threat actors. These solutions consolidate management of an organization's entire wide-area network into a single control plane — whoever owns that plane holds visibility and control over every traffic flow in the business.
For CIOs and CISOs, the message is unambiguous: network devices are no longer a passive infrastructure layer. They are an active attack surface, targeted by well-resourced adversaries with the time, tools, and expertise to chain multiple vulnerabilities in sequence. Maintaining rigorous monitoring of Cisco security advisories, hardening access controls on the management plane, and strictly segmenting SD-WAN administrative privileges are no longer optional best practices — they are operational imperatives.