6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-20245 is a high-severity authenticated privilege escalation vulnerability in Cisco Catalyst SD-WAN Manager that is seeing limited exploitation in the wild. Attackers with netadmin access can execute arbitrary commands with root privileges and push unauthorized configuration changes to edge devices. Organizations should upgrade affected systems, audit configurations, and closely monitor administrative activity.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Authenticated Privilege Escalation Vulnerability in Cisco Catalyst SD-WAN Manager.
Identifier: CVE-2026-20245
PoC or Exploitation: Cisco has observed limited exploitation of this vulnerability resulting in configuration changes being pushed to edge devices.
CVSS Score: 7.8 (High, CVSS v3.1)
Update / Patch:
Cisco has released security guidance and recommends customers upgrade to the fixed software referenced in Cisco's remediation advisories and validate edge-device configurations.
Affected versions include:
Cisco Catalyst SD-WAN Manager (formerly Cisco SD-WAN vManage)
Affected deployment types include:
- On-Prem Deployment
- Cisco SD-WAN Cloud-Pro
- Cisco SD-WAN Cloud (Cisco Managed)
- Cisco SD-WAN for Government (FedRAMP)
- Cisco states the vulnerability affects Cisco Catalyst SD-WAN Manager regardless of device configuration.
Cisco advisory and remediation guidance: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx
Related Cisco remediation advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW
Description:
CVE-2026-20245 is an authenticated privilege escalation vulnerability affecting Cisco Catalyst SD-WAN Manager.
An authenticated attacker with netadmin privileges could exploit the vulnerability by supplying a crafted file to the affected system. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.
Mitigation Recommendation:
Immediately identify all Cisco Catalyst SD-WAN Manager deployments and determine whether affected software is in use.
Review SD-WAN Manager audit logs, system logs, and configuration histories for unauthorized changes, particularly configuration updates pushed to edge devices.
Restrict administrative access to trusted personnel and review netadmin account activity for anomalies.
Investigate systems for indicators of compromise if unauthorized configuration changes are identified.
