Cisco Catalyst SD-WAN Manager CVE-2026-20245: KEV CLI Privilege Escalation to Root

Suspected
Discovered Jun 9, 2026

CISA added CVE-2026-20245 to KEV on 2026-06-09. Cisco scopes the authenticated local command-injection flaw to Catalyst SD-WAN Controller, Manager, and Validator and lists fixed 20.18.3.1 and 26.1.1.2 releases as of 2026-06-10.

0
Affected Packages
0
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script

Analysis

Executive Summary

CISA added CVE-2026-20245 to the Known Exploited Vulnerabilities catalog on 2026-06-09, with a remediation due date of 2026-06-23 CISA KEV opens in a new tab. Cisco's June 10 advisory version 1.5 scopes the flaw to Catalyst SD-WAN Controller, Catalyst SD-WAN Manager, and Catalyst SD-WAN Validator, regardless of configuration or deployment type Cisco opens in a new tab.

An attacker must already hold netadmin privileges, obtained through valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. A crafted uploaded file can trigger command injection and execute commands as root. Cisco observed limited cases where exploitation resulted in configuration changes pushed to edge devices. Cisco lists 20.18.3.1 and 26.1.1.2 as fixed releases; fixes for listed 20.9, 20.12, and 20.15 trains remained future releases as of 2026-06-10 Cisco opens in a new tab.

Key Facts

Cve: CVE-2026-20245

Vendor: Cisco

Products:

  • Catalyst SD-WAN Controller (vSmart)
  • Catalyst SD-WAN Manager (vManage)
  • Catalyst SD-WAN Validator (vBond)

Vulnerability: Authenticated local command injection and privilege escalation to root

Cwe: CWE-116

Cvss V31: 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

First Published: 2026-06-04

Last Reviewed: 2026-06-10

Kev Added: 2026-06-09

Kev Due: 2026-06-23

Required Privilege: netadmin

Precursor Cves:

  • CVE-2026-20182
  • CVE-2026-20127

Fixed Releases:

  • 20.18.3: 20.18.3.1
  • 26.1.1.2_and_earlier: 26.1.1.2

Pending Release Trains:

  • 20.9.9.1 and earlier
  • 20.12.7.1 and earlier
  • 20.15.4.4 and earlier
  • 20.15.5.2 and earlier

Workarounds: none

Evidence Assessment

  • confirmed: CISA lists the flaw as known exploited and requires action by June 23, 2026 CISA KEV opens in a new tab.
  • confirmed: Cisco requires existing netadmin access and identifies valid credentials, CVE-2026-20182, or CVE-2026-20127 as observed precursor paths Cisco opens in a new tab.
  • confirmed: Cisco observed limited cases that pushed configuration changes to edge devices and published /var/log/scripts.log review guidance Cisco opens in a new tab.
  • confirmed: Cisco advisory version 1.5 lists fixed releases for 20.18 and 26.1 while other listed trains remain pending Cisco opens in a new tab.
  • unknown: Cisco has not published malicious filenames, payload strings, hashes, source addresses, or actor attribution.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceRequired actionClosure condition
Confirmed compromiseUnauthorized upload-script execution, root command execution, or unexplained edge configuration changes appear on an affected control component.admin-tech, /var/log/scripts.log, AAA records, CLI history, process evidence, and edge configuration diffs.Isolate affected control components, preserve evidence, engage Cisco TAC, rebuild or remediate per TAC guidance, and rotate administrative credentials.Fixed release is installed and all unauthorized control-plane and edge changes are removed with TAC-supported evidence.
Presumed exposedA listed affected release is present and netadmin credentials or precursor-CVE exposure cannot be excluded.Exact release, credential audit, CVE-2026-20182/CVE-2026-20127 status, and internet exposure.Preserve admin-tech, restrict management access, patch to an available fixed release, and review scripts and edge changes.Fixed-release proof plus negative credential, script-log, and edge-configuration review.
Potentially exposedProduct is present but release, role, or deployment type is incomplete.Inventory and control-component export.Collect exact component roles, releases, and management exposure.Asset is reclassified with evidence.
Not exposedNo affected control component exists, or an available fixed release is installed and compromise review is negative.Inventory, version output, and audit artifacts.Preserve closure evidence.Evidence is attached to the asset record.
UnknownRequired logs, release data, or configuration history are unavailable.Named evidence gap.Keep the control plane in scope and engage Cisco TAC where compromise cannot be excluded.Evidence is recovered or risk is formally accepted.

Timeline

  • 2026-06-04: Cisco publishes advisory version 1.0 Cisco opens in a new tab.
  • 2026-06-05: Cisco adds indicators-of-compromise guidance.
  • 2026-06-09: CISA adds CVE-2026-20245 to KEV; Cisco expands affected-product and fixed-release information CISA alert opens in a new tab.
  • 2026-06-10: Cisco advisory version 1.5 adds release-train detail and confirms fix availability for 26.1.1.2 Cisco opens in a new tab.

Technical Analysis

The flaw is in CLI handling of an uploaded file. Insufficient validation allows a netadmin user to inject commands that execute as root. This is a post-authentication privilege-escalation stage, not a remote unauthenticated entry point. The highest-risk chain is an authentication bypass such as CVE-2026-20182 followed by CVE-2026-20245. [1]

Cisco says the affected products include every deployment type: on-premises, Cloud-Pro, Cisco-managed cloud, and FedRAMP. Preserve an admin-tech bundle from each control component before upgrading. Applying a software update alone is not sufficient when compromise evidence exists. [1]

Affected Assets and Blast Radius

Asset Selectors:

  • Catalyst SD-WAN Controller
  • Catalyst SD-WAN Manager
  • Catalyst SD-WAN Validator
  • vSmart
  • vManage
  • vBond

High Value Evidence:

  • /var/log/scripts.log
  • admin-tech bundle from each control component
  • edge-device configuration history and diffs

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Remediation and Closure

  1. Run request admin-tech on each control component and retain relevant logs before upgrade.
  2. Restrict management access and revoke unexplained netadmin sessions or credentials.
  3. Upgrade 20.18 deployments to 20.18.3.1 or later and 26.1 deployments to 26.1.1.2 or later. Contact Cisco TAC for trains whose fixed release remained pending on June 10, 2026.
  4. Review edge-device configurations for unauthorized changes.
  5. When compromise is confirmed, follow Cisco TAC remediation; patching alone does not remove attacker changes or persistence.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 9, 2026DisclosureDisclosure recorded for Cisco Catalyst SD-WAN Manager CVE-2026-20245: KEV CLI Privilege Escalation to Root.nvd.nist.gov
Jun 9, 2026Cisco Catalyst SD-WAN Manager CVE-2026-20245: KEV CLI Privilege Escalation to RootUnknownnvd.nist.gov
Jun 9, 2026DiscoveryDiscovery recorded for Cisco Catalyst SD-WAN Manager CVE-2026-20245: KEV CLI Privilege Escalation to Root.nvd.nist.gov
Jun 9, 2026First seenFirst seen recorded for Cisco Catalyst SD-WAN Manager CVE-2026-20245: KEV CLI Privilege Escalation to Root.nvd.nist.gov

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Cisco Catalyst SD-WAN Manager CVE-2026-20245: KEV CLI Privilege Escalation to Root?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabnvd.nist.gov

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Cisco Catalyst SD-WAN Manager CVE-2026-20245: KEV CLI Privilege Escalation to Root?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-cisco-sdwan-manager-cve-2026-20245-kev-scope"))


# Collect unique indicators
indicators = set()
for group in []:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
nvd.nist.govSecurity Researcher95%1CISA added CVE-2026-20245 to KEV on 2026-06-09. Cisco scopes the authenticated local command-injection flaw to Catalyst SD-WAN Controller, Manager, and Validator and lists fixed 20.18.3.1 and 26.1.1.2 releases as of 2026-06-10.
cisa.govSecurity Researcher95%2CISA added CVE-2026-20245 to KEV on 2026-06-09. Cisco scopes the authenticated local command-injection flaw to Catalyst SD-WAN Controller, Manager, and Validator and lists fixed 20.18.3.1 and 26.1.1.2 releases as of 2026-06-10.
sec.cloudapps.cisco.comSecurity Researcher95%1CISA added CVE-2026-20245 to KEV on 2026-06-09. Cisco scopes the authenticated local command-injection flaw to Catalyst SD-WAN Controller, Manager, and Validator and lists fixed 20.18.3.1 and 26.1.1.2 releases as of 2026-06-10.