Cisco informed customers on Thursday about yet another SD-WAN product vulnerability that has been exploited in the wild – the seventh whose exploitation was detected in 2026.
The new vulnerability, which has yet to be patched by Cisco, is tracked as CVE-2026-20245 and it affects the command-line interface (CLI) of Cisco Catalyst SD-WAN Manager.
An authenticated local attacker can exploit it to execute arbitrary commands as root via specially crafted files.
“This vulnerability is due to insufficient validation of user-supplied input,” Cisco explained in its advisory. “An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.”
The networking giant noted that an attacker needs to have ‘netadmin’ privileges on the targeted system to exploit the flaw, which can be achieved either with compromised credentials or via the exploitation of other SD-WAN vulnerabilities, such as CVE-2026-20182 or CVE-2026-20127.
“Cisco is not aware of successful exploitation by other methods,” the vendor said. “Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.”
CVE-2026-20182 was fixed by Cisco in mid-May, after the company learned of its in-the-wild exploitation. This authentication bypass flaw was exploited as a zero-day by a threat actor identified as UAT-8616, which had previously also exploited CVE-2026-20127 to gain unauthorized access to SD-WAN systems.
CVE-2026-20245 was reported to Cisco by Mandiant. No information has been shared on the attacks exploiting the zero-day, but SecurityWeek has reached out to Mandiant for details.
Cisco said its PSIRT learned about the exploitation of the vulnerability in June, which indicates that it rushed to disclose it.
Cisco has made available indicators of compromise (IoCs). Patches will be included in a future Catalyst SD-WAN Manager release and no workarounds are available.
Other Cisco SD-WAN product vulnerabilities whose exploitation came to light in 2026 include CVE-2026-20128, CVE-2026-20122, and CVE-2026-20133. An older vulnerability, CVE-2022-20775, was also flagged as exploited in the wild this year.
Related: Oracle WebLogic Vulnerability Exploited in the Wild
Related: Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
Related: Microsoft Tries to Calm Legal Threat Fears After Zero-Day Disclosure Backlash
Related: Organizations Warned of Exploited Linux Kernel Vulnerability
