CVE-2026-20245: Cisco's 7th 2026 SD-WAN Zero-Day Walks netadmin Straight to Root, No Patch Available

On June 5, 2026, Cisco published advisory cisco-sa-sdwan-privesc-4uxFrdzx for CVE-2026-20245, a CVSS 7.8 privilege escalation flaw in Cisco Catalyst SD-WAN Manager that is already being exploited in the wild and ships with no fix and no workaround. The Cisco PSIRT credits Google Cloud's Mandiant team with the exploitation report, which according to the vendor advisory makes this the seventh actively exploited Catalyst SD-WAN zero-day Cisco has disclosed in 2026 alone (Cisco PSIRT, IT Security News).

The root cause is insufficient validation of user-supplied input in the SD-WAN Manager CLI: an authenticated attacker who already holds netadmin-level privileges supplies a crafted file to the controller, and the contents of that file execute as commands running with root authority on the underlying box (BleepingComputer). The advisory explicitly warns that adversaries who have previously parked themselves at netadmin through the earlier CVE-2026-20182 and CVE-2026-20127 disclosures can now chain straight through to a full root shell on the controller without any further effort on the front door (Cisco PSIRT).

Cisco confirms that all currently supported releases of Catalyst SD-WAN Manager are affected, across every deployment model the product ships in, which covers on-premises installations, Cisco SD-WAN Cloud-Pro, the fully managed Cisco SD-WAN Cloud, and the FedRAMP authorized Cisco SD-WAN for Government variant. No fixed software train exists today; the advisory states only that the bug will be repaired in a future release, and that defenders should monitor /var/log/scripts.log for anomalous tenant configuration uploads as the published indicator of compromise (Cisco PSIRT).

Why this class of risk slips past your program

A 7.8 chained off two already public netadmin paths is in many ways the worst flavor of finding a fleet operator can get this week, because the program owners who patched the earlier disclosures on schedule still have an unfixed root escalation waiting for any netadmin foothold that has not been rotated, while the program owners who deferred the earlier remediation are now stacked into a two stage exploit chain that ends at full controller compromise. The CVSS vector reads as authenticated, which makes the finding look like an insider problem rather than an internet facing one, and authenticated network appliance flaws frequently drop down the queue while teams chase unauthenticated 9.8 ratings that have no confirmed exploitation behind them.

SD-WAN Manager is also one of the few control planes where a root shell is not academic, because the controller orchestrates routing policy, certificate trust, and tenant configuration across every downstream WAN edge, so root on the manager is functionally a license to redirect production traffic for every site that controller administers. The Talos team's ongoing write-up on the broader Catalyst SD-WAN intrusion set makes the point that the same victim pattern keeps reappearing across the 2026 disclosures, because the management plane was historically built for operator convenience rather than for hostile abuse, and seven exploited zero-days in a single year reflects a sustained interest from a capable adversary rather than opportunistic scanning (Cisco Talos).

Prioritizing with TRIS

A raw CVSS triage would file CVE-2026-20245 at 7.8 and below several unrelated 9 and above CVEs that nobody is actually exploiting this week, which is the standard failure mode that TRIS, the multi layer Threat and Risk Intelligence Scoring inside CVEasy AI, was built to correct. TRIS weighs the three signals that actually decide whether a finding is urgent in your environment:

• Active exploitation. The PSIRT advisory confirms in the wild exploitation via Mandiant reporting, Talos has a public write-up on the broader Catalyst SD-WAN intrusion set, and the bug is the seventh confirmed in the wild SD-WAN zero-day Cisco has disclosed in a single year, all of which push the alert to the top of the queue regardless of the base score (Cisco Talos, IT Security News).
• Blast radius. The vulnerable surface is the SD-WAN Manager itself, so root on a successful exploit propagates policy, routing, and tenant configuration changes to every site that controller orchestrates, which TRIS treats as a network wide exposure rather than a single appliance issue.
• Real exposure. TRIS narrows the alert to the controllers you actually run with the netadmin population you actually have, including any operator account in use since the earlier CVE-2026-20182 and CVE-2026-20127 fixes shipped, so the page that fires for the on call engineer is the short list of vManage clusters that matter.

The product of those three layers is a defensible ranking of which Catalyst SD-WAN cluster you touch first, which you schedule next, and which you can leave for the regular maintenance window.

Remediation steps

1. Subscribe to advisory cisco-sa-sdwan-privesc-4uxFrdzx and apply the fixed software release the moment Cisco publishes one. There is no patch and no workaround as of today, so the upgrade path is still on Cisco's side, and the only durable remediation is the fixed build (Cisco PSIRT).
2. Restrict access to SD-WAN Manager management interfaces to a tight allowlist of administrative IP ranges through interface ACLs and management VLAN segmentation, which keeps the exploit surface to the operators you intend to support rather than every authenticated session reachable from corporate networks.
3. Audit every netadmin and SD-WAN administrator account for unauthorized additions, password reuse, and dormant credentials, and rotate any account that is not actively needed, because the precondition for exploitation is netadmin presence and that is the lever you can pull today.
4. Pull /var/log/scripts.log on every controller and review for anomalous tenant configuration uploads, which the vendor advisory calls out as the published indicator of compromise to watch for malicious file delivery through the CLI vector (Cisco PSIRT).
5. Treat the earlier CVE-2026-20182 and CVE-2026-20127 patching as a prerequisite rather than a separate workstream, because the fixed releases for those bugs close the most accessible paths into the netadmin role, so an unpatched controller that is still vulnerable to either earlier disclosure is the most exposed asset in the fleet today.

How CVEasy AI surfaces this

When a network control plane zero-day with confirmed in the wild exploitation lands without a patch, CVEasy AI pulls in the PSIRT advisory, the Talos write-up, and the BleepingComputer reporting within minutes and runs the result through TRIS against the inventory that lives entirely on your own hardware. The platform answers the questions that matter in the first hour, which is which of your Catalyst SD-WAN Manager clusters are exposed today, which netadmin accounts have a foothold path through the earlier 20182 or 20127 disclosures, and which controllers still need those earlier fixes applied before any chain can be closed off. As the number one local-first CTEM platform, CVEasy AI keeps that picture of your control plane on your side of the wire and surfaces the bridge actions you can take now alongside the upgrade you will take the moment Cisco ships the fix.

References

• Cisco PSIRT: cisco-sa-sdwan-privesc-4uxFrdzx advisory for CVE-2026-20245
• BleepingComputer: New Cisco SD-WAN flaw exploited in zero-day attacks to gain root
• IT Security News: Cisco warns of 7th SD-WAN zero-day exploited in 2026
• Cisco Talos: SD-WAN ongoing exploitation write-up