Cisco on Thursday warned that an unpatched high-severity zero-day in Cisco Catalyst SD-WAN Supervisor (tracked as CVE-2026-20245) is being actively exploited in assaults that enable root privilege escalation.
This zero-day vulnerability impacts all deployment varieties, together with on-premises deployments, Cisco SD-WAN Cloud-Professional, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Authorities (FedRAMP).
Cisco mentioned in an advisory Thursday that the difficulty is because of inadequate validation of user-supplied enter, which may enable a neighborhood, low-privileged attacker to execute arbitrary instructions as root.
“An attacker may exploit this vulnerability by importing a crafted file to an affected system. Profitable exploitation may enable the attacker to conduct command injection assaults on the affected system and probably escalate their privileges as the foundation consumer,” the corporate defined.
“To use this vulnerability, an attacker should have netadmin privileges on the affected system. This may require legitimate credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco is just not conscious of every other profitable exploitation strategies,” it added. “Cisco is just not conscious of every other profitable exploitation strategies. Cisco has noticed restricted circumstances the place this bug has been exploited to push configuration adjustments to edge units.”
This community administration software program, previously often called SD-WAN vManage, helps directors monitor and handle as much as 6,000 Catalyst SD-WAN units from a single dashboard.
Cisco’s Product Safety Incident Response Staff (PSIRT) grew to become conscious of the CVE-2026-20245 exploit in June after Google Cloud’s cybersecurity subsidiary Mandiant reported the flaw, however didn’t present additional particulars.
Nonetheless, an indicator of compromise (IOC) was shared that alerts directors to evaluate the SD-WAN /var/log/scripts.log file for makes an attempt to add tenant configuration knowledge to the vSmart controller and escalate privileges via respectable instructions, as proven within the following instance.
Apr 15 09:44:57 vmanage vScript: Tenant listing add per vsmart serial quantity: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /dwelling/admin/malicious.csv vpn 0
“To find out whether or not Cisco Catalyst SD-WAN Supervisor has been compromised, prospects can open a case with Cisco TAC,” the corporate added, advising directors to first acquire administrative technical recordsdata to help within the investigation.
Safety patch not but out there
Final month, Cisco additionally tagged a most severity Catalyst SD-WAN controller authentication bypass flaw (CVE-2026-20182) as being actively exploited as a zero-day to realize administrative privileges on unpatched units.
Cisco has not but launched a patch for CVE-2026-20245, however on Could 14, Cisco really useful that prospects improve to software program mounted for CVE-2026-20182.
In February, Cisco patched one other data disclosure safety flaw (CVE-2026-20133) in Catalyst SD-WAN Supervisor. CISA reported that it was being actively exploited in late April, and two weeks later warned that two extra flaws (CVE-2026-20128 and CVE-2026-20122) have been being actively exploited.
In March, we additionally addressed and reported a essential authentication bypass vulnerability (CVE-2026-20127) that has been exploited in zero-day assaults since no less than 2023.
Over the previous few years, CISA has tagged 90 Cisco vulnerabilities as being exploited, together with 4 in Cisco Catalyst SD-WAN Supervisor and 6 others in ransomware operations.
Safety groups doc 54% of profitable assaults and situation a warning on solely 14%. The remaining strikes invisibly via the setting.
Picus’ whitepaper exhibits the way to take a look at your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
