CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: actively-exploited command-injection to root (no patch)

Cisco has confirmed a second actively-exploited zero-day in Catalyst SD-WAN Manager (formerly vManage), tracked as CVE-2026-20245 (Cisco PSIRT; NCSC-CH GovCERT, 2026-06-05). It is a command-injection flaw: an attacker with netadmin privileges can inject arbitrary OS commands that execute as root on the underlying appliance (T1059.004 Unix Shell, following T1078 Valid Accounts). Per Cisco, exploitation requires either valid netadmin credentials or prior exploitation of the pre-auth bypass CVE-2026-20182 (covered in weekly W22) or CVE-2026-20127 — making the realistic path an unauthenticated-to-root chain against an internet-exposed Manager. Cisco states it has "observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices," i.e. the blast radius extends from the management plane to every managed edge router. No fixed release is available; Cisco's only guidance is to restrict management-plane access to trusted hosts and verify edge-device configuration. Detection concepts: review the SD-WAN Manager CLI audit log for unexpected command execution and EDR/host telemetry for shells spawned under the management daemon's service account; treat any unplanned config push to edge devices as a hunting trigger. Hardening: ACL the management interface to a dedicated management VLAN, enforce MFA for netadmin, and rotate Manager credentials given confirmed in-the-wild use.