High Known exploited (KEV) CVE-2026-20245

Arbitrary command execution in Cisco Catalyst SD-WAN Manager (CVE-2026-20245) — root via a crafted file

Cisco Catalyst SD-WAN Manager ・Added to KEV Jun 9, 2026 ・Federal remediation due 2026-06-23

An output-escaping flaw in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) lets an authenticated local attacker run arbitrary commands as root by supplying a crafted file. CISA listed it as known-exploited (KEV) (CVSS 7.8 High, per NVD).

Key facts

CVE IDCVE-2026-20245
CVSS base score7.8 HIGH
CVSS vectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected (vendor / product)Cisco Catalyst SD-WAN Manager
CWECWE-116
ExploitationListed in CISA KEV (exploitation confirmed)
Remediation due2026-06-23 (U.S. federal civilian agencies, BOD 22-01)

Key points

Improper output encoding/escaping (CWE-116) in Cisco Catalyst SD-WAN Manager (formerly vManage)
An authenticated local attacker can run arbitrary commands as root via a crafted file
Compromise of the central network-management platform risks propagation to many downstream sites
Listed in CISA KEV = exploitation confirmed; CVSS 7.8 High, per NVD
Response: apply Cisco's fix; if not possible, consider disabling the feature / discontinuing use

CVE-2026-20245 is an improper output encoding/escaping vulnerability (CWE-116) in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). SD-WAN Manager is the platform for centrally managing and controlling a wide-area network (SD-WAN) that connects multiple sites.

Per public information, an authenticated local attacker can execute arbitrary commands as root by supplying a crafted file to the affected system. Because the prerequisite is "authenticated and local," it is harder to reach than an unauthenticated remote flaw, but the key concern is that a low-privileged user can reach root.

Targeting a network-management platform matters greatly: seizing SD-WAN Manager lets an attacker manipulate the configuration of many downstream sites and devices, propagating the attack across the organization's entire network.

Key response: check Cisco's official advisory, identify affected versions, and apply the fix. If the fix cannot be applied, follow the BOD 22-01 process and consider disabling the affected feature or discontinuing use. Minimizing access to the management platform and reviewing operation logs are also advised.

Why it matters

Concerns the network-management platform of organizations running multi-site SD-WAN. Seizing the platform leads directly to organization-wide propagation, so prompt patching, least-privilege management access, and operation-log review are the priorities. It underscores treating the network-control plane as a high-value asset.

FAQ

What is SD-WAN Manager?

Cisco's platform (formerly vManage) for centrally managing and controlling a wide-area network (SD-WAN) that links multiple sites. It is a linchpin of the network configuration.

If it is "authenticated and local," is the risk low?

The prerequisite is stricter than an unconditionally remote flaw, but a low-privileged user reaching root is serious, and NVD rates it High (7.8). It can be abused by insiders or as one step in a multi-stage attack.

What should I do?

Check Cisco's official advisory for affected versions and apply the fix. If you cannot, disabling the feature or discontinuing use are options. Minimizing management access and reviewing logs are also recommended.

Sources (primary)

This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.

CISA KEV Catalog (known exploited list)
NVD (CVE details / CVSS)
Vendor / reference advisory
This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).

#Cisco#SD-WAN#Network management#Command execution#Privilege escalation

← Back to vulnerability alerts