Secure Cyber Vulnerability Management

09/06/2026
Qualys-Threat-Protect

Cisco Catalyst SD-WAN Manager Privilege Escalation Vulnerability Exploited in Attack (CVE-2026-20245)

by Deepanshu Jha

Cisco warned of active exploitation of a vulnerability in Catalyst SD-WAN Manager. Tracked as CVE-2026-20245, the vulnerability could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.

Cisco Catalyst SD-WAN Manager is a centralized network management system (NMS) that provides a single pane of glass for configuring, monitoring, and troubleshooting an entire SD-WAN fabric. It serves as the orchestration and management plane of the Cisco Catalyst SD-WAN architecture.

Vulnerability Details 

This vulnerability originates from an insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges to root.

An attacker must have netadmin privileges on the affected system to exploit the vulnerability successfully. This would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco mentioned in their advisory that they are unaware of successful exploitation by other methods. Cisco has observed limited cases in which exploitation of this vulnerability resulted in a configuration change being pushed to edge devices.

Indicators of Compromise

Cisco Catalyst SD-WAN Manager systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise.

Customers may audit the scripts.log file, located at /var/log/, for entries that are shown in the following example:

Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0

Note: These are legitimate commands, and the logs will not distinguish between legitimate and malicious use.

Affected Versions

This vulnerability affects all Cisco Catalyst SD-WAN Manager, regardless of device configuration.

The vulnerability affects all deployment types, including:

  • On-Prem Deployment
  • Cisco SD-WAN Cloud-Pro
  • Cisco SD-WAN Cloud (Cisco Managed)
  • Cisco SD-WAN for Government (FedRAMP)

Mitigation

Cisco mentioned in the advisory that they plan to address this vulnerability in Cisco Catalyst SD-WAN Manager in a future release.

Customers can refer to the Cisco Security Advisory (cisco-sa-sdwan-privesc-4uxFrdzx) for information about the vulnerability.

Qualys Detection

Qualys customers can scan their devices with QID 317857 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx

Comments are closed.

You may also like