Cisco Catalyst SD-WAN Manager CVE-2026-20245 Exploited in the Wild

blog/Articles/Exploited Flaw in Cisco SD-WAN Manager (CVE-2026-20245) Can Seize Root

News Updated yesterday

Makoto Horikawa

Backend Engineer / AWS / Django

2026.06.109 min0 views

Share X Hatena LINE LinkedIn RSS

Key takeaways

Cisco Catalyst SD-WAN Manager (formerly vManage), which manages an enterprise's whole network, has a flaw already confirmed in attacks (CVE-2026-20245). On success, attackers seize the device's highest privilege and can push unauthorized config changes to edge devices. Cisco has released the fix 20.18.3.1; there is no workaround, so updating is required. Here are the affected versions and what to do now.

A product that acts like the command center for an entire corporate network has a flaw (a security weakness) that has been confirmed in real-world attacks. The product is Cisco Catalyst SD-WAN Manager (formerly vManage), the "management server" that pushes configuration in bulk to the networking gear sitting at an organization's branches — the hub of an enterprise or government wide-area network. The flaw is tracked as CVE-2026-20245.

Cisco itself disclosed that it became aware in June 2026 that this flaw was being exploited, and it acknowledged observing cases where attacks pushed unauthorized configuration changes down to edge devices. The U.S. agency CISA has added it to its catalog of vulnerabilities under active attack (KEV). The severity is rated 7.8 out of 10. The attack requires admin privileges, but as explained below, the real problem is its use as the "final step" of an attack that chains other flaws to seize privilege.

Cisco has released the fix in 20.18.3.1, and there is no workaround (no setting to mitigate it). So the only remedy is to update. This article explains, in plain terms, what Cisco SD-WAN Manager does, what this flaw allows, which versions are affected and what to patch, and why the network's command center keeps getting targeted.

Which versions are affected, and how to update

The bottom line first. Cisco Catalyst SD-WAN Manager is affected in 20.18.2.1 and all earlier versions for this flaw (CVE-2026-20245), and it is resolved in the fixed release 20.18.3.1. Cisco provides no workaround; the only remedy is to update. Since exploitation has already been observed, organizations running an affected version should prioritize updating.

Your version	Status	What to do now
20.18.3.1 or later	Fixed	No action needed
20.18.2.1 or earlier	Affected (exploited)	Update to 20.18.3.1
Workaround	None	Updating is the only option

Note that exploiting this flaw requires "network administrator (netadmin)" privileges. That sounds like a high bar, but Cisco also disclosed, around the same time, separate flaws for breaking in and gaining privilege (CVE-2026-20182 and CVE-2026-20127). An attacker can combine those to obtain privilege, then use CVE-2026-20245 as the last step to escalate to root (the system's highest privilege). For that reason, it's important to apply the related updates as well.

What Cisco SD-WAN Manager does, and what the flaw causes

Cisco Catalyst SD-WAN Manager (formerly vManage) is a product that lets enterprises and government agencies manage the networks at all their sites — nationwide or worldwide — from a single screen. It is the command center that pushes configuration and security policy from the center to the networking gear (routers, etc.) at head offices, branches, stores, and factories. By its nature, controlling this management server means reaching the organization's entire network.

The flaw is in this product's command-input area (the CLI). Per NVD (the U.S. vulnerability database) and Cisco, because input is insufficiently checked, an attacker who supplies a crafted file can have its contents executed as system commands (OS command injection). On success, the attacker can run arbitrary commands as root (the highest privilege) on the management server. It is classed as privilege escalation (raising the privilege you already hold), rated 7.8. With the highest privilege, tampering with configuration and planting other implants both become possible.

As noted, the attack requires network-administrator privileges. But don't be reassured that "only a legitimate admin could abuse it." Stolen admin credentials can be used, or an attacker can gain privilege via the separate flaws Cisco disclosed at the same time and then reach root with this one. In fact, exploitation close to this combination has already been observed in the real world — that is what makes this case stand out.

Who targets this command center, and what they're after

You might think, "this is about internal network gear; it has nothing to do with me." But what SD-WAN Manager ties together is the communications of everyone who works there. Email, access to business systems, traffic between sites — it all flows over devices that this command center configures. That's exactly why, to an attacker, it looks like an extraordinarily efficient target: seize one spot and you can issue orders to the whole network. The fact that exploitation has already been observed means people who want that value are actively at work.

The ones coming for it are not an abstract "hacker." Concretely, they are state-backed espionage groups who want to lurk in the network long-term and siphon information, ransomware crews who settle in, encrypt data, and demand payment, and initial-access brokers who steal and resell the way into corporate networks. Networking gear and its management products are precisely the entry points such groups have focused on most in recent years. What they want is the contents of traffic flowing across sites, and the very power to bend the network's behavior to their will. The moment root on the management server is seized via CVE-2026-20245, command over the organization's network passes straight to the attacker.

What's frightening is that the damage doesn't end at one management server. As Cisco itself observed, an attacker can push unauthorized configuration changes from this command center down to the edge devices. That means operations like quietly rerouting traffic to an attacker's server, cutting off specific sites, or stealthily loosening monitoring and defenses can be carried out across all sites at once. Seize the center, and the contamination cascades to the edges — that is the essence of an attack on a network's command center.

And the ones left holding the stopped traffic and the leaked data are the IT and network teams that run the device and that organization's users. Outages and delays in site-to-site traffic, eavesdropping on confidential exchanges, investigating and undoing malicious config spread to every site, explanations to partners and regulators — the number 7.8 is only a technical gauge, and what an organization actually loses when this command center is seized is this broad and this deep. With a fix already out, whether you apply it now is what decides whether you become the one who gets hit.

Already exploited: the observed harm, and a recurring pattern

What makes this heavy is that it's not "theoretically dangerous" but "already in use." Cisco PSIRT (the company's security response team) became aware of exploitation in June 2026 and disclosed that, in limited cases, attacks pushed configuration changes down to edge devices. The flaw was found and reported by researchers at Mandiant (a Google company): Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan. That Mandiant — which tracks many targeted attacks — is involved also suggests this is drawing the interest of sophisticated actors.

Networking gear and its management products being targeted is not unique to this case. Devices placed at the "edge of an organization," like VPNs and management servers, have been a top priority for attackers for several years. We've covered other such perimeter products too, including the Ivanti Sentry takeover flaw and an urgent Cisco FMC CVE. As long as seizing one central management device reaches everything, this kind of attack will recur. That's exactly why, for a flaw with observed exploitation, applying the released update promptly is what helps most.

From disclosure to response

Here is the timeline from when CVE-2026-20245 was disclosed to when exploitation was confirmed and the fix was provided.

← Swipe to move

How to read the risk right now

✓ Confirmed facts

✓CVE-2026-20245 is an input-validation flaw in the CLI of Cisco Catalyst SD-WAN Manager; a netadmin-privileged attacker can run commands as root (privilege escalation). Rated 7.8 (NVD / Cisco)
✓Cisco PSIRT became aware of exploitation in June 2026, observing limited cases where config changes were pushed to edge devices. CISA added it to KEV
✓Affected: 20.18.2.1 and earlier; fixed in 20.18.3.1. No workaround; updating is the only remedy. Found by Google's Mandiant

? Not yet confirmed

?The attackers' identity and the scale of harm — who exploited it, and how widely, is not disclosed at publication time. Cisco describes it as "limited"
?The exact path to privilege — whether via stolen credentials or the related CVEs (CVE-2026-20182 / 20127); the breakdown of real-world methods is not disclosed

Stated plainly: the attack requires admin privileges, and the harm is described as "limited" for now. At the same time, "exploitation already observed, root on success, edge devices manipulable, and no workaround" means the risk of doing nothing is enormous. And the fix is already out. Rather than scrambling once exploitation spreads, updating now is the surest move.

What to do now

If you run Cisco Catalyst SD-WAN Manager, your to-do list centers on updating:

Check your version; if it is 20.18.2.1 or earlier, treat it as affected and update to the fix 20.18.3.1 as soon as possible
Also apply the fixes for the related flaws that can be abused to gain privilege (CVE-2026-20182 and CVE-2026-20127)
Review your administrator (netadmin) accounts: prune unnecessary privileges and revisit credentials (change passwords, enable multi-factor authentication)
Because exploitation is already observed, check your configuration history and change logs for unauthorized config pushed to edge devices
Restrict who can connect to the management console (the management server) to only what's necessary, so it is not directly reachable from the internet or unneeded networks

With exploitation already observed, do not leave an affected version in place. Because there is no workaround this time, the longer you defer, the more the risk piles up of privilege being seized and edge devices being manipulated. If you find signs of intrusion, don't stop at updating — pair it with reviewing the configurations that were pushed and rotating credentials.

FAQ

Q. If it needs admin privileges, isn't it not that dangerous?

Don't let your guard down. Admin credentials can be stolen and used, or an attacker can gain privilege via the separate flaws Cisco disclosed at the same time (CVE-2026-20182 and CVE-2026-20127) and then reach root with this one. Exploitation close to this has already been observed, so don't assume "only a legitimate admin could use it."

Q. Is there a workaround?

Cisco provides no workaround to mitigate via settings. The only remedy is to update to the fix 20.18.3.1. Since exploitation has been observed, prioritize updating if you run an affected version.

Q. What is SD-WAN Manager?

It's a product (formerly vManage) that lets enterprises and government agencies manage the networks at all their sites from a single screen. It is the "command center" that pushes configuration in bulk to networking gear at each site, so seizing it affects the organization's entire network.

Q. Does this concern ordinary individual users?

The direct target is the network teams of enterprises and government agencies that run this product. There is no direct impact on personal devices. That said, if a service you use ran this device, the stability or security of your communications could be affected indirectly.

In summary

CVE-2026-20245 is a flaw — already confirmed in attacks — in Cisco Catalyst SD-WAN Manager (formerly vManage), the command center of an enterprise network. Due to insufficient validation in the command-input area, an attacker with network-administrator privileges can run commands as root, and Cisco disclosed observing cases where unauthorized config changes were pushed down to edge devices. It is rated 7.8, affects 20.18.2.1 and earlier, and is resolved in 20.18.3.1. There is no workaround.

The need for admin privileges is a hurdle, but stolen credentials or chaining with the separate flaws Cisco disclosed at the same time can clear it. CISA has also added it to KEV, so exploitation is already real. If you run Cisco SD-WAN Manager, update promptly to 20.18.3.1 — including the related fixes — and check for unauthorized config changes and signs of intrusion along the way. For a device you've entrusted with command of your organization's network, this is too heavy a one to put off.