Cisco SD-WAN Has a New Root-Level Problem, and There’s No Fix Yet

Pierluigi Paganini
June 05, 2026

Cisco warns of CVE-2026-20245 in SD-WAN Manager, a flaw that can lead to root access via file upload command injection; no patch or workaround yet.

Cisco warns of a privilege escalation flaw, tracked as CVE-2026-20245 (CVSS base score of 7.8), in Cisco Catalyst SD-WAN Manager, the platform formerly known as SD-WAN vManage. An authenticated local attacker can trigger the vulnerability to run arbitrary commands as root. No patch is out, and no workaround exists.

The mechanics are straightforward: bad input validation. Although the flaw requires netadmin privileges, attackers can obtain them using stolen credentials or by exploiting previously disclosed vulnerabilities such as CVE-2026-20182 and CVE-2026-20127.

“This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.” reads the advisory. “To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.”

The vulnerability affects Cisco Catalyst SD-WAN Manager across all deployment models, including on-premises installations, Cisco SD-WAN Cloud-Pro, Cisco-managed cloud deployments, and FedRAMP environments.

Cisco’s interim guidance is surgical: before you upgrade to the fixed release (documented in the May 14 advisory), run request admin-tech on every control component in your SD-WAN deployment. Don’t skip this step.

“If the logs show indicators of compromise and the system is confirmed to be compromised, applying the software update alone will not resolve the vulnerability.” concludes the advisory. “In such cases, follow the specific remediation steps that will be provided by the Cisco Technical Assistance Center (TAC) to help secure the system.”

The researchers pointed out that patching over a compromised system doesn’t clean it. It just gives you a patched, compromised system.

For detection, check the scripts.log file at /var/log/ for entries referencing vconfd_script_upload_tenant_list.sh. Cisco warns these are legitimate commands too, so you’ll need to compare them against your baseline to tell benign from malicious. If you’re unsure whether your environment is clean, open a TAC case and bring the admin-tech file with you.

In February, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two Cisco SD-WAN flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the flaws added to the catalog:

• CVE-2022-20775 Cisco Catalyst SD-WAN Path Traversal Vulnerability
• CVE-2026-20127 Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon