CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 05, 2026

Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root User

Cybersecurity News Archived Jun 05, 2026 ✓ Full text saved

Cisco has disclosed a high-severity vulnerability in its Catalyst SD-WAN Manager that is actively being exploited in the wild, allowing attackers to execute arbitrary commands with root privileges. The issue, tracked as CVE-2026-20245, carries a CVSS score of 7.8 and stems from improper input validation in the system’s command-line interface. According to Cisco’s advisory, the […] The post Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root User appeared first

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root User By Abinaya June 5, 2026 Cisco has disclosed a high-severity vulnerability in its Catalyst SD-WAN Manager that is actively being exploited in the wild, allowing attackers to execute arbitrary commands with root privileges. The issue, tracked as CVE-2026-20245, carries a CVSS score of 7.8 and stems from improper input validation in the system’s command-line interface. According to Cisco’s advisory, the flaw stems from insufficient sanitization of user-supplied input during the processing of uploaded files. An authenticated attacker can exploit this weakness by uploading a specially crafted file, which triggers command injection and enables privilege escalation to the root user. Once root access is obtained, attackers can fully compromise the SD-WAN management plane, manipulate configurations, and potentially impact connected edge devices. The attack requires netadmin-level privileges, meaning the threat is not directly exploitable by unauthenticated actors. Cisco SD-WAN Vulnerability Exploit However, Cisco warns that attackers may chain this vulnerability with other known flaws, such as CVE-2026-20182 or CVE-2026-20127, to gain the necessary access. This significantly increases the risk in real-world environments where credential compromise or chained exploitation is feasible. Cisco’s Product Security Incident Response Team (PSIRT) confirmed that the vulnerability has already been exploited in limited attacks. In observed cases, threat actors used the flaw to push unauthorized configuration changes to SD-WAN edge devices. This suggests post-exploitation activity aimed at persistence, lateral movement, or traffic manipulation within enterprise networks. The vulnerability affects all Cisco Catalyst SD-WAN Manager deployments, including on-premises, Cisco SD-WAN Cloud, Cloud-Pro, and government (FedRAMP) deployments. Systems exposed to the internet are considered at higher risk, especially if management interfaces are accessible externally. At the time of disclosure, Cisco had not released a software patch to address the issue, and no workarounds were available. The company has advised customers to upgrade to a previously released fixed software version referenced in its May 2026 advisory. However, a dedicated fix for this specific vulnerability is still pending. Cisco has provided guidance to help organizations detect potential compromise. Administrators are urged to review the scripts.log file located in /var/log/ for suspicious entries. One example is the execution of commands such as “/usr/bin/vconfd_script_upload_tenant_list.sh” with unexpected file paths, such as malicious CSV uploads. However, Cisco notes that these log entries may also appear during legitimate operations, making careful analysis essential to avoid false positives. To support incident response efforts, organizations are strongly advised to collect forensic data using the “request admin-tech” command before applying any upgrades. This ensures preservation of critical evidence that may help determine the extent of compromise. Cisco also recommends reviewing device configurations and logs after upgrading, as patching alone may not remediate systems that have already been breached. If indicators of compromise are identified, customers should engage Cisco TAC for guided remediation steps. Simply upgrading affected systems without addressing persistence mechanisms or unauthorized changes may leave networks exposed. This vulnerability was reported by Mandiant, highlighting ongoing collaboration between vendors and threat intelligence teams in identifying active threats. Given the active exploitation and lack of immediate fixes, organizations using Cisco SD-WAN should prioritize access control, monitoring, and log analysis to reduce risk while awaiting a permanent patch. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access Typosquatted npm Packages Steal Cloud and CI/CD Secrets From Developer Systems Hackers Using AI Tools to Automate Active Directory Attacks and EDR Evasion Microsoft Clarifies It Won’t Sue Security Researchers Amid Nightmare-Eclipse Controversy Multiple Red Hat Cloud Services npm Packages Compromised to Deploy Credential-Stealing Malware Latest News Cyber Security Microsoft Edge Vulnerability Allows Remote Attackers to Execute Arbitrary Code Cyber Security Dashlane Details How Hackers Managed to Download Encrypted Password Vaults Cyber Security News ClawHub, Cisco, Vercel’s Malicious Skill Detector Bypassed to upload Malicious Skills Cyber Security News HexStrike AI RED-TEAM With 127 Security Tools and BOAZ Red Team Integration Cyber Security News Hackers Impersonate Ghidra, dnSpy, and SpiderFoot to Spread Malware via Fake Download Sites
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 05, 2026
    Archived
    Jun 05, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗