Second Cisco SD-WAN Zero-Day Chains From May's Auth Bypass — No Patch Available
CVE-2026-20245 is a privilege escalation zero-day in Cisco Catalyst SD-WAN Manager being actively exploited. It requires the access conditions created by CVE-2026-20182.
Cisco has disclosed a second actively exploited zero-day in Catalyst SD-WAN Manager. CVE-2026-20245 is a CLI command injection flaw that allows an authenticated attacker to execute arbitrary commands as root by uploading a crafted file. CVSS score: 7.8. No patch exists.
The flaw stems from insufficient input validation in the SD-WAN Manager CLI. An attacker uploads a crafted file, triggers command injection, and escalates to root. Cisco's advisory is explicit about the prerequisite: the attacker must already hold netadmin privileges — obtained through valid credentials, or through prior exploitation of CVE-2026-20182 or CVE-2026-20127.
In confirmed incidents, attackers exploited the flaw to push unauthorized configuration changes to edge devices. Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan reported the vulnerability. Cisco's PSIRT became aware of active exploitation in June.
The flaw affects all Catalyst SD-WAN deployment types: on-premises, Cloud-Pro, Cisco Managed Cloud, and FedRAMP.
Cisco has no dedicated patch for CVE-2026-20245 and no available workaround. Its current guidance is to apply the May 14 fixes for CVE-2026-20182, verify edge device configuration state, and run request admin-tech on each SD-WAN control component before applying the May 14 update to preserve log evidence. IOCs in the form of specific log entries have been published in the advisory.
This is the seventh Cisco SD-WAN flaw confirmed as actively exploited in 2026.
Sources: Cisco Advisory · BleepingComputer · Help Net Security