Cisco warns of unpatched SD-WAN zero-day exploited in assaults

On Thursday, Cisco warned of a high-severity, unpatched zero-day within the Cisco Catalyst SD-WAN Supervisor (tracked as CVE-2026-20245) actively exploited in assaults enabling root privilege escalation.

The zero-day flaw affects all deployment varieties, together with On-Prem Deployment, Cisco SD-WAN Cloud-Professional, Cisco SD-WAN Cloud (Cisco Controlled), and Cisco SD-WAN for Executive (FedRAMP).

In a Thursday advisory, Cisco mentioned the problem stems from inadequate validation of user-supplied enter, and it may permit native attackers with low privileges to execute arbitrary instructions as root.

“An attacker may exploit this vulnerability through importing a crafted document to the affected device. A a hit exploit may permit the attacker to accomplish command injection assaults on an affected device and carry their privileges as the foundation person,” the corporate defined.

“To milk this vulnerability, the attacker should have netadmin privileges at the affected device. This will require legitimate credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco isn’t conscious about a hit exploitation through different strategies,” it added. “Cisco isn’t conscious about a hit exploitation through different strategies. Cisco has noticed restricted circumstances the place the exploitation of this worm led to a configuration trade driven to edge units.”

Previously referred to as SD-WAN vManage, this community control tool is helping admins observe and set up as much as 6,000 Catalyst SD-WAN units from a unmarried dashboard.

Cisco’s Product Safety Incident Reaction Workforce (PSIRT) was conscious about CVE-2026-20245 exploitation in June after Google Cloud cybersecurity subsidiary Mandiant reported the flaw however didn’t percentage any main points.

Alternatively, it shared signs of compromise (IOCs) caution admins to test their SD-WAN /var/log/scripts.log document for makes an attempt to add tenant configuration information to vSmart controllers to escalate privileges thru authentic instructions, as within the following instance:

Apr 15 09:44:57 vmanage vScript: Tenant record add in keeping with vsmart serial quantity: /usr/bin/vconfd_script_upload_tenant_list.sh -cli trail /house/admin/malicious.csv vpn 0

“For assist figuring out if a Cisco Catalyst SD-WAN Supervisor has been compromised, consumers would possibly open a case with the Cisco TAC,” the corporate added, advising admins first to generate an admin-tech document to assist with the evaluate.

Safety patches no longer but to be had

Ultimate month, Cisco additionally tagged a most severity Catalyst SD-WAN Controller authentication bypass flaw (CVE-2026-20182) as actively exploited as a zero-day to achieve administrative privileges on unpatched units.

Whilst Cisco has no longer but launched patches for CVE-2026-20245, it steered consumers to improve to the tool mounted for CVE-2026-20182 on Would possibly 14.

In February, Cisco patched every other Catalyst SD-WAN Supervisor knowledge disclosure safety flaw (CVE-2026-20133), which CISA flagged as actively exploited in past due April, and, two weeks later, warned that two extra flaws (CVE-2026-20128 and CVE-2026-20122) had been being abused within the wild.

In March, it additionally addressed and flagged a vital authentication-bypass vulnerability (CVE-2026-20127) that has been exploited in zero-day assaults since no less than 2023.

Over the past a number of years, CISA has tagged 90 Cisco vulnerabilities as abused within the wild, 4 of them in Cisco Catalyst SD-WAN Supervisor and 6 others exploited through ransomware operations.