Cisco SD-WAN Manager zero-day exploited in the wild (CVE-2026-20245)

On 5 June 2026, Cisco warned that an unpatched, high-severity zero-day in its Catalyst SD-WAN Manager — tracked as CVE-2026-20245 — was being actively exploited in the wild. The flaw stems from insufficient validation of user-supplied input and lets an attacker upload a crafted file to perform command injection and execute arbitrary commands as root.

What happened

Cisco's Product Security Incident Response Team (PSIRT) said it became aware of exploitation after Google Cloud's Mandiant reported the issue, confirming a limited number of cases in which the flaw was abused to push a configuration change to edge devices. To exploit the vulnerability, an attacker first needs netadmin privileges on the targeted system — obtainable with compromised credentials or by chaining other SD-WAN flaws such as CVE-2026-20182 or CVE-2026-20127.

The vulnerability affects all deployment types, including on-premises, Cisco SD-WAN Cloud-Pro, Cisco-managed cloud, and the FedRAMP-authorised SD-WAN for Government. At disclosure, Cisco had not released a patch for CVE-2026-20245 and advised customers to move to the software fixed for CVE-2026-20182.

Why it matters

SD-WAN managers sit at the control plane of enterprise networks, orchestrating configuration for fleets of edge devices. Root code execution there turns a single compromised management console into leverage over an entire network's routing — and this marks one of a string of SD-WAN zero-days Cisco has had to address in 2026, several exploited before any fix was available.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/new-cisco-sd-wan-flaw-exploited-in-zero-day-attacks-to-gain-root/

securityweek.comhttps://www.securityweek.com/cisco-warns-of-7th-sd-wan-zero-day-exploited-in-2026/

theregister.comhttps://www.theregister.com/security/2026/06/05/yet-another-cisco-sd-wan-0-day-under-attack-and-no-patch-in-sight/5251855

cybersecuritydive.comhttps://www.cybersecuritydive.com/news/cisco-zero-day-flaw-sd-wan-exploited/822138/

Related incidents

Zero-dayOngoingJune 10, 2026

Microsoft Defender 'RoguePlanet' zero-day grants SYSTEM privileges (CVE-2026-47281)

Researchers disclosed a Microsoft Defender privilege-escalation zero-day dubbed RoguePlanet (CVE-2026-47281) that abuses a race condition to redirect a SYSTEM-level file operation and hand a local attacker full SYSTEM access on fully updated Windows machines.

Victim: Microsoft Defender

Zero-dayContainedJune 9, 2026

Google patches actively exploited Chrome V8 zero-day (CVE-2026-11645)

Google shipped an emergency Chrome update fixing CVE-2026-11645, a high-severity out-of-bounds memory flaw in the V8 engine that lets a crafted web page run arbitrary code and for which an exploit already exists in the wild.

Victim: Google Chrome

Zero-dayOngoingJune 2, 2026

Google patches actively exploited Android zero-day (CVE-2025-48595)

Google's June 2026 Android security update fixed 124 vulnerabilities, including CVE-2025-48595, an actively exploited integer-overflow flaw in the Android Framework that lets a local attacker escalate privileges without user interaction.

Victim: Google Android

Supply chainContainedJune 4, 2026

IronWorm self-propagating malware hits 36 npm packages (2026)

Researchers disclosed IronWorm, a Rust-based, self-propagating infostealer that compromised 36 npm packages, stealing developer and CI secrets and republishing trojanized packages using stolen npm publishing credentials.

Victim: npm (Node Package Manager registry)