Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root User
Cybersecurity NewsArchived Jun 05, 2026✓ Full text saved
Cisco has disclosed a high-severity vulnerability in its Catalyst SD-WAN Manager that is actively being exploited in the wild, allowing attackers to execute arbitrary commands with root privileges. The issue, tracked as CVE-2026-20245, carries a CVSS score of 7.8 and stems from improper input validation in the system’s command-line interface. According to Cisco’s advisory, the […] The post Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root User appeared first
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root User
By Abinaya
June 5, 2026
Cisco has disclosed a high-severity vulnerability in its Catalyst SD-WAN Manager that is actively being exploited in the wild, allowing attackers to execute arbitrary commands with root privileges.
The issue, tracked as CVE-2026-20245, carries a CVSS score of 7.8 and stems from improper input validation in the system’s command-line interface.
According to Cisco’s advisory, the flaw stems from insufficient sanitization of user-supplied input during the processing of uploaded files.
An authenticated attacker can exploit this weakness by uploading a specially crafted file, which triggers command injection and enables privilege escalation to the root user.
Once root access is obtained, attackers can fully compromise the SD-WAN management plane, manipulate configurations, and potentially impact connected edge devices. The attack requires netadmin-level privileges, meaning the threat is not directly exploitable by unauthenticated actors.
Cisco SD-WAN Vulnerability Exploit
However, Cisco warns that attackers may chain this vulnerability with other known flaws, such as CVE-2026-20182 or CVE-2026-20127, to gain the necessary access.
This significantly increases the risk in real-world environments where credential compromise or chained exploitation is feasible. Cisco’s Product Security Incident Response Team (PSIRT) confirmed that the vulnerability has already been exploited in limited attacks.
In observed cases, threat actors used the flaw to push unauthorized configuration changes to SD-WAN edge devices. This suggests post-exploitation activity aimed at persistence, lateral movement, or traffic manipulation within enterprise networks.
The vulnerability affects all Cisco Catalyst SD-WAN Manager deployments, including on-premises, Cisco SD-WAN Cloud, Cloud-Pro, and government (FedRAMP) deployments.
Systems exposed to the internet are considered at higher risk, especially if management interfaces are accessible externally. At the time of disclosure, Cisco had not released a software patch to address the issue, and no workarounds were available.
The company has advised customers to upgrade to a previously released fixed software version referenced in its May 2026 advisory. However, a dedicated fix for this specific vulnerability is still pending.
Cisco has provided guidance to help organizations detect potential compromise. Administrators are urged to review the scripts.log file located in /var/log/ for suspicious entries.
One example is the execution of commands such as “/usr/bin/vconfd_script_upload_tenant_list.sh” with unexpected file paths, such as malicious CSV uploads.
However, Cisco notes that these log entries may also appear during legitimate operations, making careful analysis essential to avoid false positives.
To support incident response efforts, organizations are strongly advised to collect forensic data using the “request admin-tech” command before applying any upgrades.
This ensures preservation of critical evidence that may help determine the extent of compromise. Cisco also recommends reviewing device configurations and logs after upgrading, as patching alone may not remediate systems that have already been breached.
If indicators of compromise are identified, customers should engage Cisco TAC for guided remediation steps. Simply upgrading affected systems without addressing persistence mechanisms or unauthorized changes may leave networks exposed.
This vulnerability was reported by Mandiant, highlighting ongoing collaboration between vendors and threat intelligence teams in identifying active threats.
Given the active exploitation and lack of immediate fixes, organizations using Cisco SD-WAN should prioritize access control, monitoring, and log analysis to reduce risk while awaiting a permanent patch.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access
Typosquatted npm Packages Steal Cloud and CI/CD Secrets From Developer Systems
Hackers Using AI Tools to Automate Active Directory Attacks and EDR Evasion
Microsoft Clarifies It Won’t Sue Security Researchers Amid Nightmare-Eclipse Controversy
Multiple Red Hat Cloud Services npm Packages Compromised to Deploy Credential-Stealing Malware
Latest News
Cyber Security
Microsoft Edge Vulnerability Allows Remote Attackers to Execute Arbitrary Code
Cyber Security
Dashlane Details How Hackers Managed to Download Encrypted Password Vaults
Cyber Security News
ClawHub, Cisco, Vercel’s Malicious Skill Detector Bypassed to upload Malicious Skills
Cyber Security News
HexStrike AI RED-TEAM With 127 Security Tools and BOAZ Red Team Integration
Cyber Security News
Hackers Impersonate Ghidra, dnSpy, and SpiderFoot to Spread Malware via Fake Download Sites