HP Halting Problems Security research, supply chain threats, and systems risk.
♥ Help support the site
btc
bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8
eth
0x71faaDcAF2538e7346885F772FBAcb88740059A8
xmr
49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP
high Threat analysis

Cisco Catalyst SD-WAN Manager CVE-2026-20245: KEV CLI Privilege Escalation to Root

CISA added Cisco Catalyst SD-WAN Manager CVE-2026-20245 to its KEV catalog on 2026-06-09. This high-severity privilege escalation vulnerability in the CLI allows authenticated local attackers with netadmin privileges to execute arbitrary commands as the root user by uploading a crafted file.

Published
Read time
5 min read
Sources
3
#cisco#sd-wan#cisa-kev#privilege-escalation#zero-day
On this page 0% read

    Executive Summary

    CISA added CVE-2026-20245 to the Known Exploited Vulnerabilities catalog on 2026-06-09, marking it as actively exploited CISA KEV. The affected product is Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). The vulnerability is a CLI-based privilege escalation flaw (CWE-116: Improper Encoding or Escaping of Output) that allows an authenticated local attacker with netadmin privileges to execute arbitrary commands as the root user by uploading a crafted configuration file.

    Because exploitation requires authenticated local access, attackers typically chain this vulnerability with a precursor authentication bypass flaw (such as CVE-2026-20182 or CVE-2026-20127) to establish initial CLI entry. As of June 10, 2026, no official patch is available, and there are no known workarounds. Cisco plans to release updates in future software builds. Organizations must prioritize auditing SD-WAN configuration permissions and monitor system logs for suspicious CLI upload scripts.

    Key Facts

    cve: "CVE-2026-20245"
vendor: "Cisco"
product: "Catalyst SD-WAN Manager"
vulnerability: "CLI local privilege escalation via output encoding bypass"
cwe: "CWE-116"
disclosed_date: "2026-06-09"
kev_added: "2026-06-09"
affected_versions: "All current Catalyst SD-WAN Manager releases"
fixed_versions: "None (patch pending as of 2026-06-10)"
precursor_cves:
  - "CVE-2026-20182"
  - "CVE-2026-20127"
high_value_evidence:
  - "/var/log/scripts.log"
  - "vconfd_script_upload_tenant_list.sh"

    Source Confidence & Evidence Mapping

    • confirmed: CISA added CVE-2026-20245 to the KEV catalog, verifying active exploitation in the wild CISA KEV.
    • confirmed: Cisco published an official advisory describing the CLI file upload escaping flaw and confirmed the lack of patches and workarounds Cisco Advisory.
    • confirmed: Security researchers observed active exploitation chains combining this with Catalyst SD-WAN authentication bypass CVEs.

    Impact Determination

    ClassificationCriteriaRequired evidenceHandling decision
    Confirmed compromiseSystem logs show script uploads executing shell code under root, or entries inside /var/log/scripts.log referencing vconfd_script_upload_tenant_list.sh with injection parameters.Log signatures of command injection in scripts.log, unauthorized root process creation, or new root credentials.Isolate the manager node immediately, restore the system from a clean backup, rotate all administrative credentials and SSH keys, and conduct full network forensics.
    Presumed exposedCisco Catalyst SD-WAN Manager is deployed in the network and precursor vulnerabilities (e.g. CVE-2026-20182) are unpatched, or local netadmin credentials are not audited.Presence of active Catalyst SD-WAN manager interfaces without active session control or precursor patches.Secure CLI access, enforce multi-factor authentication for CLI administration, and patch precursor authentication bypass flaws immediately.
    Potentially exposedCatalyst SD-WAN manager instances exist, but version or patching status is unverified.Network inventory lists showing Cisco SD-WAN controllers.Run configuration auditing and verify patch logs.
    Not exposedCatalyst SD-WAN manager is not in use, or all managers are isolated from CLI access and precursor patches are applied.System architecture verify.No immediate action required.
    UnknownSystem logs or access controls are missing.Telemetry gaps on SD-WAN manager logs.Audit local CLI credentials.

    Timeline

    • 2026-06-09: Cisco discloses CVE-2026-20245 indicating active exploitation and no available patches.
    • 2026-06-09: CISA adds CVE-2026-20245 to the Known Exploited Vulnerabilities catalog.
    • 2026-06-10: This threat post analysis is published.

    Technical Analysis

    The vulnerability resides within the file upload handling logic of the Cisco Catalyst SD-WAN Manager command-line interface. When a user with netadmin privileges uploads configuration files (such as tenant lists), the CLI delegates validation to a local shell script (vconfd_script_upload_tenant_list.sh). Because the inputs within the uploaded file are not properly escaped or sanitized before being passed into the shell execution context, an attacker can embed shell command injection payloads. When executed, these commands run with the privileges of the script runner, which is the local root user, resulting in full compromise of the device.

    Affected Assets and Blast Radius

    asset_selectors:
  - "cisco-sdwan-manager"
highest_value_assets:
  - "Catalyst SD-WAN Manager (vManage) controllers with exposed management interfaces"
credentials_and_data_at_risk:
  - "Root access to the SD-WAN controller"
  - "SD-WAN fabric credentials, routing tables, and policy configurations"

    Indicators And Detection Selectors

    vulnerabilities: ["CVE-2026-20245"]
packages: ["cisco-sdwan-manager"]
telemetry_selectors:
  - "vconfd_script_upload_tenant_list.sh"
  - "/var/log/scripts.log"

    Detection and Hunting

    Script: local repository and exported telemetry scope

    #!/usr/bin/env python3
import os
import sys
import json
import subprocess
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-cisco-sdwan-manager-cve-2026-20245-kev-scope"))
SINCE = "2026-06-09T00:00:00Z"
UNTIL = "2026-06-09T23:59:59Z"

PACKAGES = [
]
VERSIONS = [
]
FILES = [
]
DOMAINS = [
  "www.cisa.gov",
  "sec.cloudapps.cisco.com",
]
URLS = [
  "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
  "https://sec.cloudapps.cisco.com/security/center/publicationListing.x",
]
IPS = [
]
HASHES = [
]
PROCESS_PATTERNS = [
]
NETWORK_PATTERNS = [
]

# Positive signal: repository, lockfile, artifact, process, or network telemetry contains one of the exact incident selectors above.
# Escalation: any match tied to a production build, CI run, deployed asset, or secret-bearing host moves the asset to presumed exposed.

OUT.mkdir(parents=True, exist_ok=True)
indicators_file = OUT / "indicators.txt"

# Collect unique indicators
indicators = set()
for group in [PACKAGES, VERSIONS, FILES, DOMAINS, URLS, IPS, HASHES, PROCESS_PATTERNS, NETWORK_PATTERNS]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

    Sources

    1. CISA: KEV Catalog - Role: PRIMARY_RESEARCH - Impact: Active exploitation confirmation.
    2. Cisco: Security Advisories - Role: DIRECT_SOURCE - Impact: Detailed product advisory, affected versions, and command injection mechanism.
    3. NIST NVD: CVE-2026-20245 - Role: ENRICHMENT_DATA - Impact: Severity and CWE mapping.