The bottom line: CVE-2026-20245 in Cisco SD-WAN Manager is actively being exploited and requires local authentication and netadmin privileges, but can be chained with exploits of older authentication bypass vulnerabilities.
Cisco is alerting to an actively exploited high-risk vulnerability (CVE-2026-20245) in Catalyst SD-WAN Manager that enables local attackers with netadmin rights to escalate to root privileges. Patches are not yet available.
The vulnerability CVE-2026-20245 is located in the Command-Line Interface (CLI) of the Catalyst SD-WAN Manager and allows authenticated attackers to escalate their privileges to root level and thereby take full control of the system. The CVSS score is 7.8 (High), not Critical, because exploitation requires local network admin privileges. These privileges can be obtained through stolen credentials or by exploiting older authentication bypass vulnerabilities such as CVE-2026-20245 (patched in May) or CVE-2026-20127 (patched in February).
Cisco points to insufficient validation of user input: attackers could perform command injection attacks by uploading a malicious file and escalate their rights to root level. Google Mandiant reported the vulnerability to Cisco. The older authentication bypass flaws have already been exploited by the cyberespionage group UAT-8616, which has acted multiple times against enterprise SD-WAN deployments. It is unclear whether UAT-8616 is also using CVE-2026-20245.
As no patch is yet available, Cisco recommends updating to the latest available version to prevent the older authentication bypass exploits from being effective. Administrators should review the configuration of their edge devices, as Cisco has documented cases where exploitation of this vulnerability led to configuration changes. Before updating, all relevant log files should be backed up and the `admin-tech` command should be executed from each control component.
Cisco has published indicators of compromise that should appear in the `/var/log/scripts.log` file. However, distinguishing between malicious and legitimate commands is difficult. If indicators are found, Cisco recommends contacting the Technical Assistance Center. A mere software update is insufficient if the system has demonstrably been compromised—in this case, specific remediation steps must be performed by the Cisco Technical Assistance Center.
Source: www.csoonline.com · Published June 8, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.6.5.