CVE-2026-20245: Cisco Discloses 7th SD-WAN Zero-Day of 2026 — Unpatched Root Escalation, No Patch Available, Chains After CVSS 10.0 Auth Bypass

Sources: SecurityWeek · Bleeping Computer · Cybersecurity Dive · Cyberpress · Mandiant (discovery) · Cisco PSIRT Advisory cisco-sa-sdwan-privesc-4uxFrdzx | CVE: CVE-2026-20245 | CVSS: 7.8 High | CWE: CWE-116 — Improper Encoding or Escaping of Output | Disclosed by: Mandiant (Google Cloud) | Patch status: NO PATCH AVAILABLE — future release date not specified | Deployment types affected: On-Prem · Cloud-Pro · Cloud Managed · SD-WAN for Government (FedRAMP)

The seventh SD-WAN zero-day in six months — and this one has no patch

On June 5, 2026, Cisco disclosed CVE-2026-20245 — a high-severity privilege escalation vulnerability in the Cisco Catalyst SD-WAN Manager CLI that has been actively exploited in the wild. This is the seventh Cisco SD-WAN vulnerability confirmed exploited in 2026, and it carries a detail that makes it uniquely dangerous at the moment of disclosure: there is no patch, and Cisco has not provided a timeline for when one will be available.

The vulnerability was discovered and reported by Mandiant, Google Cloud’s cybersecurity subsidiary. Cisco’s Product Security Incident Response Team confirmed that Cisco became aware of CVE-2026-20245 exploitation in June after Mandiant reported it — meaning, as with several prior SD-WAN vulnerabilities, the flaw was being actively exploited in real-world attacks before the vendor knew it existed. Cisco has observed limited confirmed cases where exploitation resulted in a configuration change being pushed to edge devices — which, in the context of an SD-WAN management platform controlling up to 6,000 network devices from a single dashboard, is not a limited impact. It is network-wide.

DataWater covered the prior chapter of this campaign extensively — CVE-2026-20182, the CVSS 10.0 SD-WAN authentication bypass with 11 confirmed threat actor clusters inside enterprise networks. CVE-2026-20245 is the escalation layer that attacker UAT-8616 and associated clusters use after achieving initial access through CVE-2026-20182 or CVE-2026-20127. The two vulnerabilities are now formally documented as a chained attack sequence — entry via authentication bypass, root escalation via command injection. Together they give an attacker complete control of the entire SD-WAN fabric.

How the attack works: from netadmin to root in one crafted file

CVE-2026-20245 resides in the command-line interface of Cisco Catalyst SD-WAN Manager. The root cause is insufficient validation of user-supplied input — the classic command injection vulnerability class that appears repeatedly across enterprise network software and has been exploited at scale throughout 2026.

The attack sequence is straightforward: an attacker with netadmin privileges on the SD-WAN Manager uploads a specially crafted file to the affected system. The insufficient input validation fails to sanitize the file’s contents properly, allowing attacker-controlled strings to be interpreted as system commands — a command injection. The injected commands execute with the privileges of the process handling the upload, which in this case escalates to root on the SD-WAN Manager.

Root access to the SD-WAN Manager is the highest possible privilege level on the system. An attacker with root on vManage can read all stored credentials and configuration data, modify routing and policy configurations across the entire SD-WAN fabric, push configuration changes to any or all of the edge devices the Manager controls, create persistent backdoor accounts that survive software updates, and clear or modify audit logs to conceal the intrusion. Cisco has confirmed that in at least some exploitation cases, attackers used this access to push configuration changes to edge devices — meaning the compromise propagated beyond the management server itself into the production network infrastructure.

The prerequisite chain: why CVE-2026-20182 survivors are still at risk

CVE-2026-20245 requires netadmin privileges to exploit. Cisco is explicit that this can be obtained in two ways beyond legitimate credentials: via prior exploitation of CVE-2026-20182 (the CVSS 10.0 authentication bypass we covered in May) or via CVE-2026-20127 (the CVSS 10.0 peering authentication bypass documented in February). This prerequisite chain is not a meaningful security barrier — it is a description of the attacker’s current toolkit.

Consider the operational picture: an organization whose SD-WAN Manager was exposed to the internet during the CVE-2026-20182 exploitation window (approximately May 11 through May 14, before the patch was available) may have been compromised at the authentication bypass level without knowing it. If those attackers established persistence — created netadmin accounts, modified SSH authorized keys, set up NETCONF access — they are still inside. CVE-2026-20245 gives them the next step: escalate from netadmin to root, completing the full compromise of the management plane. The two vulnerabilities are not independent incidents. They are sequential stages in the same intrusion campaign. Patching CVE-2026-20182 after the fact does not remove an attacker who already used it to establish netadmin access.

This chaining pattern is precisely what the Verizon DBIR 2026 documented as the defining characteristic of 2026’s most impactful breaches: attackers are not one-and-done. They achieve initial access, establish persistence, then use subsequent vulnerabilities to deepen and extend that access — often over weeks or months — before the organization detects the initial entry point. The 4.3-day median dwell time before ransomware deployment gives a false sense of speed. For state-linked threat actors like UAT-8616, dwell times are measured in months, not days.

Seven exploited SD-WAN CVEs in 2026: the full chain

CVE-2026-20245 is the seventh Cisco SD-WAN vulnerability confirmed exploited in 2026. The progression shows a systematic, methodical campaign rather than opportunistic exploitation:

• CVE-2026-20127 (CVSS 10.0) — Peering authentication bypass in SD-WAN Controller and Manager. Unauthenticated remote attacker obtains high-privileged internal user access. Exploitation traced to 2023. DataWater covered in February 2026.
• CVE-2022-20775 (CVSS 7.8) — Path traversal in SD-WAN CLI. Used in the post-exploitation chain after CVE-2026-20127 to escalate from non-root internal user to root.
• CVE-2026-20182 (CVSS 10.0) — Authentication bypass in SD-WAN. DataWater’s full coverage from May 16 — 11 threat actor clusters, CISA Emergency Directive 26-03, patched May 14.
• CVE-2026-20245 (CVSS 7.8) — NEW, UNPATCHED — Command injection via CLI file upload. Root privilege escalation on SD-WAN Manager. Chained after CVE-2026-20182 or CVE-2026-20127 for netadmin access. No patch, no timeline.
• Three additional CVEs — SecurityWeek references seven total exploited SD-WAN vulnerabilities in 2026. The remaining three have not all been publicly detailed at time of publication. The pattern is consistent across all: UAT-8616 and associated clusters systematically probing every attack surface in the SD-WAN stack.

The cumulative picture is of a sophisticated, persistent threat actor that has spent months — possibly years, given that CVE-2026-20127 exploitation dates to 2023 — studying and exploiting every layer of Cisco SD-WAN architecture. This is not opportunistic scanning. This is a deliberate, long-running campaign against enterprise and government network infrastructure. The three-year Cisco SD-WAN network backbone heist DataWater documented earlier this year is no longer a historical case study — it is the current threat model.

Why “no patch, no timeline” is the most dangerous possible disclosure state

Enterprise security teams are accustomed to a disclosure cycle: vulnerability disclosed, patch released, remediation window begins. CVE-2026-20245 breaks that cycle in the most operationally uncomfortable way possible. The vulnerability has been confirmed exploited. Mandiant reported it. Cisco publicly acknowledged it. And there is no patch and no date by which a patch will be available.

This creates a compounding problem. Public disclosure of an unpatched vulnerability is an invitation for additional threat actors to develop and deploy their own exploits. The CVE number is now assigned. The mechanism — CLI file upload, command injection, insufficient input validation — is publicly documented. Any attacker capable of developing a proof-of-concept exploit can now do so with Cisco’s own advisory as a technical roadmap. The DBIR 2026 found the median time from CVE publication to exploitation is 5 days. For a vulnerability where the mechanism is already partially disclosed in the advisory, that window may be significantly shorter.

Cisco’s only current guidance — upgrade to the May 14 release, which addressed CVE-2026-20182, as “a protective measure” — is not a remediation. It is a partial risk reduction. Environments already running the May 14 release are still vulnerable to CVE-2026-20245 if an attacker has netadmin access. The upgrade recommendation addresses the CVE-2026-20182 entry point; it does not close the CVE-2026-20245 escalation path. The two vulnerabilities require two separate fixes, and only one exists.

Mandiant’s discovery: what it tells us about the campaign

The fact that CVE-2026-20245 was discovered by Mandiant — not by Cisco’s own security team, not by a bug bounty researcher, not by an academic analysis — carries operational significance. Mandiant discovered this vulnerability by investigating active exploitation of Cisco SD-WAN infrastructure. That means they were responding to a real incident, analyzed the attack chain, and identified a previously unknown exploitation technique being used in the wild.

This is the same discovery pattern as CVE-2026-34926, the Trend Micro Apex One zero-day DataWater covered on May 26 — discovered by TrendAI’s own IR team during active exploitation investigation. In both cases, the vendor’s security team found the flaw because they were already investigating a real breach. The flaw was being used before anyone knew it existed. The implication for enterprises is consistent: detection of known attack patterns and IOCs — UAT-8616’s NETCONF activity, rogue netadmin account creation, configuration pushes to edge devices — is what triggers the investigation chain that eventually produces the CVE. Organizations without detection capabilities calibrated to these behavioral signatures will not generate the telemetry that leads to discovery. They will simply remain compromised.

Indicators of compromise — what to look for now

In the absence of a patch, detection and compromise assessment are the primary defensive actions available. Security teams should immediately audit SD-WAN Manager environments for the following:

# Check for unauthorized netadmin or admin accounts created after May 2026
# In vManage UI: Administration → Manage Users
# Via CLI:
show aaa users

# Review NETCONF session history for unauthorized connections (port 830)
show system netconf-yang sessions
# Look for external IPs not in your known management inventory

# Check SD-WAN Manager file upload logs for crafted file activity
# Look in: /var/log/vmanage/ for anomalous file upload events around exploitation window

# Audit edge device configuration push history
# In vManage: Configuration → Devices → Configuration History
# Any configuration change not tied to an authorized change ticket is suspicious

# Check for SSH authorized_keys modifications
cat ~/.ssh/authorized_keys
cat /root/.ssh/authorized_keys
# Any key not provisioned by your team is an attacker persistence mechanism

# Review bash history for evidence of root-level activity
cat /root/.bash_history
# Look for: netconf commands, ssh key modifications, log clearing, config file edits

# Check for unexpected software version downgrades
show version
# Attackers using the CVE-2022-20775 chain downgrade then restore — check version history logs

# Review system logs for privilege escalation events
grep -i "privilege\|escalat\|root\|netadmin" /var/log/auth.log | grep "2026-05\|2026-06"

Additional IOCs documented across the UAT-8616 campaign, which DataWater covered in depth in the May 16 CVE-2026-20182 article:

• Local user accounts that mimic legitimate accounts — attackers create accounts with names slightly similar to existing accounts to blend in
• Unexpected SSH authorized key entries — particularly for the root user
• Modified SD-WAN startup scripts — persistence mechanism that survives reboots
• NETCONF connections from unexpected external IPs — port 830 activity from IPs outside your known management plane
• Log clearing or truncation — missing or shortened bash_history, altered auth.log entries
• Configuration pushes to edge devices not tied to authorized changes — particularly routing modifications or policy changes

What you can actually do right now with no patch available

1. Conduct an immediate compromise assessment on all Cisco Catalyst SD-WAN Manager instances. Run the detection commands above. Any environment that had unpatched exposure to CVE-2026-20182 or CVE-2026-20127 should be treated as potentially already compromised at the netadmin level — CVE-2026-20245 may have been used to escalate to root. Engage Cisco TAC and/or a third-party IR firm for environments where evidence of compromise is ambiguous. Contact Cisco TAC at tac@cisco.com or via the Cisco Support Portal.
2. Upgrade to the May 14 release if not already done. Cisco is explicit that this is a protective measure — it addresses the CVE-2026-20182 authentication bypass entry point that provides the netadmin access CVE-2026-20245 requires. It does not patch CVE-2026-20245, but it removes one of the primary paths to the prerequisite access level.
3. Audit and restrict netadmin accounts immediately. Identify every account with netadmin privileges on your SD-WAN Manager. Remove any you cannot positively verify as authorized. Change credentials on all remaining netadmin accounts. This is the access level CVE-2026-20245 requires — shrinking the pool of accounts that could be used as its prerequisite is the primary available risk reduction with no patch.
4. Restrict SD-WAN Manager access to a dedicated management network. If your SD-WAN Manager is reachable from general enterprise network segments or the internet, implement firewall rules that restrict access to the management interface to a dedicated, audited management VLAN with MFA-enforced jump box access. This reduces the attack surface for the credential compromise vector that provides netadmin access.
5. Enable and review NETCONF session logging. NETCONF on port 830 is the protocol UAT-8616 uses for lateral movement and configuration manipulation across the SD-WAN fabric. Any NETCONF session from an unexpected IP address is a confirmed exploitation indicator. If you are not currently logging NETCONF sessions, enable it immediately.
6. Monitor Cisco’s security advisories for the CVE-2026-20245 patch. Subscribe to psirt@cisco.com security notifications and the Cisco Security Advisory feed. When the patch is released — with no timeline given, this requires active monitoring rather than scheduled review — treat it as an emergency deployment with the same urgency as a CISA KEV item.
7. Government / FedRAMP deployments: CVE-2026-20245 affects Cisco SD-WAN for Government (FedRAMP) deployments. Federal agencies should escalate to CISA immediately and engage Cisco TAC for priority support. Given the CISA Emergency Directive 26-03 issued for CVE-2026-20182, an updated directive covering CVE-2026-20245 may be forthcoming.

The enterprise network infrastructure threat pattern of 2026

CVE-2026-20245 is not an isolated vulnerability. It is the latest data point in a pattern that DataWater has tracked throughout 2026: enterprise network security infrastructure — the devices and management platforms that organizations depend on to secure their networks — is under sustained, systematic, nation-state-grade attack. The Palo Alto PAN-OS GlobalProtect authentication bypass (CVE-2026-0257), the Cisco SD-WAN CVSS 10.0 authentication bypass (CVE-2026-20182), and now CVE-2026-20245 — all three share the same profile: network perimeter or management plane compromise, nation-state or nation-state-linked threat actors, chained exploitation techniques, and an attacker goal of persistent, stealthy network access rather than immediate ransomware deployment.

The White House AI executive order signed June 2 acknowledged that AI is accelerating this threat landscape. CVE-2026-20245 is a reminder that the non-AI threat — nation-state actors with deep expertise in enterprise networking infrastructure, years of dwell time, and systematic vulnerability chaining — is running in parallel. The enterprise security program that survives 2026 will need to defend against both simultaneously. For strategic guidance on building defenses that account for this threat model, see our analysis of enterprise strategies for managing APT risk and the deep dive on how a ghost hacker owned Cisco SD-WAN for three years before anyone noticed.

Sources and further reading

• SecurityWeek — Cisco Warns of 7th SD-WAN Zero-Day Exploited in 2026
• Bleeping Computer — New Cisco SD-WAN Flaw Exploited in Zero-Day Attacks to Gain Root
• Cybersecurity Dive — Cisco Warns Zero-Day Flaw in SD-WAN Is Being Exploited
• Cyberpress — Cisco SD-WAN Flaw Exploited to Execute Root-Level Commands
• Cisco PSIRT — Official Advisory cisco-sa-sdwan-privesc-4uxFrdzx (CVE-2026-20245)

DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #22 — June 5, 2026. Previous: White House AI EO (June 4) · CVE-2026-8732 WP Maps Pro (June 3) · CVE-2026-0257 Palo Alto PAN-OS (June 2) · CISA Nx Console / GitHub (May 29) · CVE-2026-34926 Trend Micro Apex One (May 26). Browse the full threat brief archive →