What's new since our May post: Our earlier coverage focused on CVE-2026-20182, the authentication bypass patched on May 14, 2026. This post covers a brand-new, separate zero-day — CVE-2026-20245 — that was disclosed in June, is currently being exploited in the wild, and has no patch or workaround available as of this writing.
There's a particular kind of security nightmare that keeps IT professionals up at night: a vulnerability that's being actively exploited with zero fix available. That's exactly where Cisco customers find themselves this week.
The Hacker News reports that Cisco has confirmed a high-severity zero-day flaw — tracked as CVE-2026-20245 with a CVSS score of 7.8 out of 10 — in Cisco Catalyst SD-WAN Manager is under active attack. No patch exists. No workaround exists. And Cisco has already observed real-world cases where exploitation resulted in configuration changes being pushed out to edge devices on customer networks.
If your business runs any kind of Cisco SD-WAN infrastructure, this needs your attention today.
First: What Is SD-WAN, in Plain English?
SD-WAN stands for Software-Defined Wide Area Network. If that sounds like alphabet soup, here's the simple version: it's the technology many businesses use to connect multiple office locations, remote workers, and cloud services over a single managed network — all controlled through a central software dashboard instead of a pile of hardware routers at every site.
The "Manager" component (formerly called SD-WAN vManage) is that central control dashboard. It's the nerve center of the whole operation. If an attacker compromises it, they don't just get into one computer — they potentially get the keys to your entire network topology and can push configuration changes to every connected device.
That's what makes this vulnerability so serious.
What Does CVE-2026-20245 Actually Do?
According to Help Net Security, the flaw lives in the command-line interface of Cisco Catalyst SD-WAN Manager and stems from insufficient validation of user-supplied input. An authenticated attacker can exploit it by uploading a specially crafted file to the system, which triggers a command injection attack and elevates their privileges all the way to root — the highest possible level of system access.
Think of it like this: the Manager is a secured building. An attacker who gets inside as a regular employee (netadmin-level access) can use this flaw to forge a master keycard and access every room in the building.
The catch is that the attacker needs netadmin-level credentials to start. But as Security Affairs notes, that's not as big a barrier as it sounds — those credentials can be obtained through stolen passwords or by chaining this attack with two other previously disclosed Cisco SD-WAN vulnerabilities: CVE-2026-20182 (a CVSS 10.0 authentication bypass disclosed in May) and CVE-2026-20127 (another authentication bypass that a "highly sophisticated" threat actor has been exploiting since 2023).
CVE-2026-20245 is actually the seventh Cisco SD-WAN flaw flagged as actively exploited this year alone, per The Hacker News. The others include CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, and CVE-2022-20775.
Who Is Affected?
This vulnerability affects all Cisco Catalyst SD-WAN Manager deployment types, including:
- On-Premises Deployment
- Cisco SD-WAN Cloud-Pro
- Cisco SD-WAN Cloud (Cisco Managed)
- Cisco SD-WAN for Government (FedRAMP)
If your business or your managed service provider runs any of these, you're in scope. Cisco has also specifically warned that internet-exposed systems face heightened risk.
The vulnerability was discovered and reported by Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan.
What to Do Right Now — Interim Steps While Waiting for a Patch
There is currently no patch and no workaround for CVE-2026-20245. That's frustrating, but it doesn't mean you're helpless. Here's the priority checklist:
1. Apply the May 14 Fixes First
Cisco's current guidance is to upgrade to the fixed software documented in the CVE-2026-20182 advisory released on May 14, 2026. While this doesn't fix CVE-2026-20245 directly, it closes the authentication bypass door that attackers are using to get in before escalating privileges.
2. Collect Admin-Tech Files Before You Upgrade
This is critical and easy to miss. Help Net Security emphasizes Cisco's specific guidance: run the request admin-tech command on every control component in your SD-WAN deployment before upgrading. These files preserve potential indicators of compromise. If you upgrade first and find out later you were already breached, important forensic evidence may be gone.
3. Check Your Log Files for Signs of Compromise
Look in /var/log/scripts.log for entries referencing commands like vconfd_script_upload_tenant_list.sh. As Security Affairs notes, these are legitimate commands too — so compare against your baseline activity. Anything that looks out of place in timing or file paths warrants a closer look.
4. If You Find Indicators of Compromise — Don't Just Patch
This is a warning worth highlighting in bold: patching a compromised system does not clean it. As Security Affairs puts it, applying the software update to an already-compromised system just gives you "a patched, compromised system." If your logs show signs of exploitation, open a TAC case with Cisco immediately and bring your admin-tech file. Cisco's Technical Assistance Center will provide specific remediation steps.
5. Verify Edge Device Configurations
Cisco has observed cases where exploitation resulted in configuration changes being pushed to edge devices. After applying the May 14 patches, review the configuration of your edge devices to make sure nothing has been silently altered.
6. Limit Internet Exposure of the Manager Interface
If your SD-WAN Manager is internet-facing, consider restricting access to trusted IP ranges or placing it behind a VPN until a patch is available. Cisco has specifically flagged internet-exposed systems as being at heightened risk.
The Bigger Picture
This situation reflects a growing pattern in enterprise network security: sophisticated threat actors aren't just exploiting a single vulnerability in isolation — they're chaining multiple flaws together to build a path from initial access all the way to root. The UAT-8616 threat cluster, for example, has been leveraging CVE-2026-20127 since as far back as 2023.
For Yuba City businesses that rely on multi-site networking or cloud-connected infrastructure, the lesson here is that network management platforms deserve the same security scrutiny as servers and workstations. The management console is often the highest-value target in an enterprise environment — precisely because it controls everything else.
If you're a /business owner unsure whether your network infrastructure includes Cisco SD-WAN components, or if you've inherited an IT environment that you're not fully familiar with, now is a good time to find out. We're happy to help assess your setup if you're not sure where to start.
Keep an eye on Cisco's security advisories page for patch availability — when the fix for CVE-2026-20245 drops, it should be treated as an emergency update.
