Cisco Catalyst SD-WAN Manager Privilege Escalation (CVE-2026-20245)
by Ashraf Zaryouh (0xBlackash) · 2026-06-28
- Severity
- High
- CVE
- CVE-2026-20245
- Category
- network
- Affected product
- Cisco Catalyst SD-WAN Manager (vManage), SD-WAN Controller (vSmart), SD-WAN Validator (vBond)
- Affected versions
- All current versions; **no patch available at time of ingest**
- Disclosed
- 2026-06-28
- Patch status
- unpatched
Tags
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-06-28 |
| Last Updated | 2026-06-14 |
| Author / Researcher | Ashraf Zaryouh (0xBlackash) |
| CVE / Advisory | CVE-2026-20245 |
| Category | network |
| Severity | High |
| CVSS Score | 7.8 (CVSSv3) |
| Status | PoC |
| Tags | privilege-escalation, Cisco, SD-WAN, vManage, file-upload, command-injection, root, CISA-KEV, no-patch, Mandiant, nation-state |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Cisco Catalyst SD-WAN Manager (vManage), SD-WAN Controller (vSmart), SD-WAN Validator (vBond) |
| Versions Affected | All current versions; no patch available at time of ingest |
| Language / Platform | Python (advisory PoC); Linux (target) |
| Authentication Required | Yes (netadmin role required) |
| Network Access Required | Yes (management plane access) |
Summary
CVE-2026-20245 is the seventh Cisco SD-WAN zero-day exploited in 2026. An authenticated attacker with netadmin privileges on Cisco Catalyst SD-WAN Manager can upload a specially crafted file to the CLI subsystem, triggering insufficient input validation and executing arbitrary OS commands as root. In the wild, attackers used this to create a privileged troot account (via evil_tenant.csv upload), then pushed malicious configuration policies to edge devices across the entire SD-WAN fabric. Mandiant (Google Cloud) reported the in-the-wild exploitation; CISA added to KEV on June 15, 2026. No patch is available.
Vulnerability Details
Root Cause
The CLI subsystem of Cisco SD-WAN Manager fails to properly validate user-controlled content within uploaded files. Malicious input is interpreted by a privileged process running on the management platform, enabling command injection and privilege escalation to root.
Attack Vector
- Authenticate to SD-WAN Manager with netadmin credentials (obtained via phishing, credential stuffing, or prior compromise).
- Upload a crafted file (e.g.,
evil_tenant.csv) via the CLI or API. - Insufficient validation allows command injection → root on the vManage appliance.
- Create persistent admin accounts; push malicious policies to edge devices across the SD-WAN fabric.
Impact
Root-level code execution on SD-WAN Manager with the ability to modify configurations and push policy changes to all managed WAN edge devices. An attacker can disrupt entire enterprise WAN operations, establish persistence, or pivot to managed branch networks.
Environment / Lab Setup
Target: Cisco Catalyst SD-WAN Manager with netadmin account
Attacker: Python 3
Note: Requires valid netadmin credentials — not unauthenticated
Proof of Concept
Advisory / Detection Script
See
CVE-2026-20245.pyin this folder. Educational advisory — documents the vulnerability and detection methods.
Indicators of Compromise
| |
Mandiant-reported TTPs:
- Upload of
evil_tenant.csvto vManage CLI subsystem - Creation of
trootprivileged account post-exploitation - Lateral configuration pushes to WAN edge devices via compromised vManage
Remediation
| Action | Detail |
|---|---|
| Patch | No patch available. Cisco states fix in a “future release” with no workaround |
| Mitigate | Restrict netadmin account access; enforce MFA; limit management plane exposure; monitor audit logs for unexpected uploads |
| Monitor | Alert on any CLI file uploads, new admin account creation, and off-hours policy deployments |
| Mandiant report | https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager |
References
- CVE-2026-20245
- Google Cloud / Mandiant blog: Zero-Day Exploitation of Cisco Catalyst SD-WAN Manager
- Source repository (0xBlackash/CVE-2026-20245)
- MITRE ATT&CK: T1078 (Valid Accounts), T1059 (Command Interpreter), TA0004 (Privilege Escalation), T1098 (Account Manipulation)
Notes
Auto-ingested from https://github.com/0xBlackash/CVE-2026-20245 on 2026-06-28. Seventh Cisco SD-WAN zero-day exploited in 2026 per SecurityWeek. Nation-state attribution implied by Mandiant reporting; no public actor name confirmed. No patch or workaround from Cisco at time of ingest. CISA KEV added June 15, 2026.
| |