Emerging Threats

Cisco SD-WAN Manager Flaw Actively Exploited

Analyst 207||Source: TheHackerNews
Network equipment and router on a rack with technician checking a laptop in the background.

"A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system," Cisco said in an advisory.

Cisco on CVE-2026-20245: a CLI flaw allowing root command execution

Cisco has warned that CVE-2026-20245, a high-severity vulnerability in Catalyst SD-WAN Manager, is being actively exploited. The flaw carries a CVSS score of 7.8 and affects multiple deployment types: On-Prem Deployment; Cisco SD-WAN Cloud-Pro; Cisco SD-WAN Cloud (Cisco Managed); and Cisco SD-WAN for Government (FedRAMP). According to the advisory, the underlying error is insufficient validation of user-supplied input allowing an attacker who can upload a crafted file to perform command injection and escalate privileges to root.

Exploit prerequisites and links to CVE-2026-20182 and CVE-2026-20127

Cisco emphasized that exploitation requires the attacker to have netadmin privileges on the affected system. "This would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127," Cisco added, and the company said it is not aware of successful exploitation by other methods. CVE-2026-20182 — disclosed last month by Rapid7 with a CVSS score of 10.0 — was described as an authentication bypass that could enable unauthenticated, remote attackers to obtain administrative privileges. Cisco also noted CVE-2026-20127 is similar; both CVE-2026-20182 and CVE-2026-20127 have been exploited in the wild as zero-days.

Observed outcomes: configuration changes and IoCs in /var/log/scripts.log

In its advisory, Cisco reported limited cases where exploitation of CVE-2026-20245 resulted in configuration changes pushed to edge devices. The company credited Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan with discovering and reporting the vulnerability, and said it is unknown who is behind the latest exploitation efforts.

Cisco warned that internet-exposed systems are at heightened risk of compromise and published indicators of compromise (IoCs) for defenders to check. Examples of relevant lines in /var/log/scripts.log include:

  • Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0
  • Jun 5 13:06:39 Manager vScript: vSmart upload serial numbers: /usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh -cli path /home/admin/vsmart_serial_numbers_safe.csv
  • Jun 5 13:08:47 Validator vScript: ZTP upload chassis numbers: /usr/bin/vconfd_script_upload_chassis_number_file.sh -cli path /home/admin/chassis_numbers_safe.csv

Mitigation status: no patch; ensure CVE-2026-20182 fixes (May 14, 2026) are applied

At the time of the advisory, Cisco reported there are no patches or mitigations available for CVE-2026-20245. Customers were recommended to upgrade their SD-WAN software to ensure they have applied the fixes released for CVE-2026-20182 on May 14, 2026. Cisco also framed this disclosure in the context of recurring SD-WAN problems: CVE-2026-20245 is the seventh SD-WAN flaw flagged as actively exploited this year after CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, and CVE-2022-20775.

The advisory arrived days after Cisco addressed a separate high-severity flaw in Unified Communications Manager (CVE-2026-20230, CVSS score: 8.6); Cisco said proof-of-concept exploit code for that UC Manager issue is public but that it had found no evidence of active exploitation.

What this means for technologists, enterprises, and policymakers

  • Technologists and security teams: Verify whether deployed SD‑WAN Manager instances match the affected deployment types listed by Cisco, check /var/log/scripts.log for the provided IoC lines, and confirm that the May 14, 2026 fixes for CVE-2026-20182 are installed.
  • Enterprises and procurement leaders: Inventory where Catalyst SD‑WAN Manager is used — including On‑Prem, Cloud‑Pro, Cisco‑Managed Cloud, and FedRAMP environments — and treat internet-exposed systems as higher risk until mitigations or patches are released.
  • Policymakers and regulators: Note that Cisco lists a FedRAMP-bearing deployment among the affected types, and that this is the seventh actively exploited SD‑WAN flaw reported this year; the pattern may inform questions about coordinated disclosure, cloud-managed service exposures, and timelines for vendor remediation.

Cisco's advisory leaves two clear facts in view: a remote exploitation chain is not claimed for CVE-2026-20245 without prior netadmin access, and there is no current patch. The discovery credited to Google Mandiant researchers is explicit; who is exploiting the flaw is not. Until a vendor patch appears, the record is a mix of confirmed technical detail, published IoCs, and an open question about attribution and future impact.

Original story

CiscoCommand InjectionEmerging ThreatsNetwork SecurityZero-DayVulnerability ExploitationSD-WANLocal Privilege EscalationCVE-2026-20245
Related Intelligence

Continue Reading

Network device with cables on a rack in a well-lit technology room.

Palo Alto Networks Warns of Active PAN-OS Vulnerability Exploitation

Palo Alto Networks has sounded the alarm on a critical PAN-OS vulnerability, CVE-2026-0257, that's being actively exploited by threat actors to bypass authentication and gain unauthorized access to VPN connections. This security gap could allow attackers to circumvent controls and initiate their own VPN sessions, putting your network at risk.

Analyst 207
Blurred computer workstation and file cabinet in a brightly-lit office interior, with a cityscape visible through the window.

Mandiant Exposes UNC3753's US Law Firm Data Heist Tactics

Beware of UNC3753, a notorious group that's been stealing sensitive data from US law firms and other professional services, using clever vishing tactics and lightning-fast intrusions to extort their victims. In some cases, they can go from initial contact to data theft in under an hour.

Analyst 207
Person in a corporate office hallway holds a small device, looking concerned.

Extortion Gang Exploits Corporate Networks with In-Person Visits

Meet UNC3753, a notorious extortion gang that's taking corporate hacking to a whole new level - from deceitful phone calls to in-person visits, where they show up at companies' doorsteps with thumb drives, targeting dozens of US banks, law firms, and professional services firms in just a few short months. Their tactics have evolved from fake emails to help-desk calls and now, brazen doorstep drop-offs.

Analyst 207
Laptop screen displays rogue login prompt with generic logo and username field.

Polyfill Compromise Targets Major Websites with Rogue Login Prompts

Major websites, including Toshiba and Muji, have been compromised by a rogue login prompt scam through polyfill.io, tricking visitors into entering sensitive information. If you encountered the fake sign-in screen, be sure to cancel and change your password to protect your account.

Analyst 207