Skip to main content
Mallory
Back to vulnerabilities
High

Command Injection in Cisco Catalyst SD-WAN Manager CLI

IdentifiersCVE-2026-20245CWE-77

CVE-2026-20245 is a command injection vulnerability in the CLI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). The flaw is caused by insufficient validation of user-supplied input during processing of an uploaded file. An authenticated local attacker can exploit the issue by supplying or uploading a crafted file to the affected system, causing the CLI processing path to execute attacker-controlled commands. Successful exploitation results in arbitrary command execution with root privileges on the SD-WAN Manager host. Cisco stated the issue affects all Catalyst SD-WAN Manager deployment models and has observed active exploitation in limited cases.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to execute arbitrary commands as root on the affected Cisco Catalyst SD-WAN Manager instance. This provides full privilege escalation from the required netadmin-level access to root, enabling complete compromise of the management plane host. Cisco observed limited real-world exploitation resulting in configuration changes being pushed to edge devices, which could enable unauthorized network reconfiguration and broader downstream operational impact.

Mitigation

If you can’t patch tonight, do this now.

No specific workaround is described in the provided content. Interim defensive actions mentioned by Cisco include reviewing /var/log/scripts.log for suspicious entries related to crafted file upload activity, generating an admin-tech file for forensic review, verifying edge-device configurations for unauthorized changes, and working with Cisco TAC if indicators of compromise are present. Reducing exposure of management interfaces, especially internet exposure, would also reduce risk, although the provided content does not describe this as an official workaround.

Remediation

Patch, then assume compromise.

Upgrade Cisco Catalyst SD-WAN Manager to the fixed software documented by Cisco in the advisory published on May 14, 2026. Cisco also recommends verifying the configuration of edge devices after remediation because exploitation has been observed to result in pushed configuration changes. Where compromise is suspected, preserve forensic evidence, review relevant logs including /var/log/scripts.log, collect an admin-tech bundle, and engage Cisco TAC for compromise assessment.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

22 SOURCESView more in app
cyber security newsNews
Jun 5, 2026
Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root User

A high-severity command injection and privilege escalation vulnerability in Cisco Catalyst SD-WAN Manager caused by improper input validation and insufficient sanitization of uploaded file input, allowing an authenticated attacker to execute arbitrary commands as root.

Read more
security online infoNews
Jun 5, 2026
Cisco SD-WAN Vulnerability Exploited in the Wild

A command injection vulnerability in the CLI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) that allows an authenticated local attacker with netadmin privileges to execute arbitrary commands as root via a crafted file.

Read more
bleeping computerNews
Jun 5, 2026
Cisco warns of unpatched SD-WAN zero-day exploited in attacks

A high-severity unpatched zero-day in Cisco Catalyst SD-WAN Manager that allows local attackers with low privileges to upload a crafted file, achieve command injection, and escalate privileges to root.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity19

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-20245
NVD
nvd.nist.gov/vuln/detail/CVE-2026-20245
MITRE CWE · CWE-77
cwe.mitre.org
sec.cloudapps.cisco.com
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx
sec.cloudapps.cisco.com
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW