Cisco’s SD-WAN management platform is currently under siege from attackers exploiting a severe zero-day flaw. Despite issuance of a security advisory, no patch for this bug has been released, intensifying risks for organizations relying on this widely deployed technology.
- Zero-day flaw in Cisco Catalyst SD-WAN Manager exploited in the wild
- Attackers need valid credentials to execute privilege escalation
- Cisco has not yet released a patch, advises using prior fixes as mitigations
What happened
Cisco disclosed a critical zero-day vulnerability affecting its Catalyst SD-WAN Manager software, identified as CVE-2026-20245. This flaw arises from improper input validation, enabling authenticated attackers to upload crafted files that escalate privileges to root level. The vulnerability has been actively exploited for at least a week prior to the public advisory.
This issue impacts all versions of the SD-WAN software regardless of deployment method, including on-premises, cloud, and FedRAMP-certified setups. Cisco clarified that attackers require netadmin-level access to exploit this defect, which could be obtained through stolen credentials or by abusing previously disclosed Cisco SD-WAN vulnerabilities.
Why it matters
Cisco SD-WAN is widely used by enterprises globally for network management, making this vulnerability particularly dangerous. Root-level exploit enables attackers to fully compromise networks, potentially disrupting critical infrastructure or exfiltrating sensitive data. The necessity for valid credentials, while limiting, does not eliminate risk as credentials are commonly available on underground markets.
This zero-day is the sixth SD-WAN vulnerability exploited in 2026 and the second zero-day discovered this year. Previous flaws have led to urgent patching advisories from multiple governments and cybersecurity agencies worldwide. The ongoing exploitation highlights persistent threats to network equipment and the challenges vendors face in timely delivering effective patches.
What to watch next
Organizations using Cisco SD-WAN should monitor Cisco’s security advisories closely and engage Cisco Technical Assistance Center when needed. Applying previously released updates, especially those addressing CVE-2026-20182, is recommended as a protective measure against credential theft and privilege escalation attempts.
Security teams should also prepare for heightened attacks targeting SD-WAN environments and strengthen credential management practices. The timing of Cisco’s forthcoming patch remains unknown, making proactive defense and incident detection critical until a fix is issued.