Cisco Catalyst SD-WAN Manager Authenticated Privilege Escalation Vulnerability

Act NowCVSS 7.8cisco-sa-sdwan-privesc-4uxFrdzxJun 4, 2026

Cisco

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the Cisco Catalyst SD-WAN Manager CLI allows an authenticated attacker with netadmin privileges to execute arbitrary commands as root through insufficient input validation on uploaded files. A successful exploit enables command injection and root privilege escalation on the Manager system. Cisco has observed limited cases where exploitation resulted in unauthorized configuration changes being pushed to edge devices. The vulnerability requires valid netadmin credentials or prior exploitation of CVE-2026-20182 or CVE-2026-20127. No workarounds are available.

What this means

What could happen

An attacker with valid engineering credentials on the SD-WAN Manager could run arbitrary commands as root, potentially modifying network configurations pushed to all connected edge devices and disrupting WAN connectivity across the organization.

Who's at risk

Network managers operating Cisco Catalyst SD-WAN Manager environments who use the system to centrally manage WAN edge devices and branch connectivity. Impact extends to all edge devices whose configurations could be altered through the compromised Manager.

How it could be exploited

An attacker with netadmin privileges uploads a crafted file through the CLI. The Manager fails to validate the file contents, allowing command injection that executes with root privileges. The attacker can then alter configurations or push malicious changes to connected branch routers.

Prerequisites

Valid netadmin credentials on the Catalyst SD-WAN Manager
Local or CLI access to the Manager system
OR prior exploitation of CVE-2026-20182 or CVE-2026-20127 to obtain initial netadmin access

Authenticated local access required but privileged account compromise is commonCan alter configurations on multiple remote devicesNo patch available yet from CiscoNo workarounds available

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

Catalyst SD-WAN ManagerAll versionsFix available

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGBefore upgrading, run the admin-tech command from each SD-WAN control component to collect indicators of compromise

HARDENINGReview and verify the configuration of all edge devices for unauthorized changes that may have been pushed during the compromise window

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Catalyst SD-WAN Manager to a patched version per Cisco security advisory cisco-sa-sdwan-rpa2-v69WY2SW

Long-term hardening

0/1

HARDENINGRestrict CLI access to the SD-WAN Manager to authorized personnel only and disable unused management interfaces

CVEs (1)

CVE-2026-20245

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f81020f5-18b4-411e-8cb5-16249ec177a3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.