high
Cisco Catalyst SD-WAN Manager CVE-2026-20245: KEV CLI Privilege Escalation to Root
CISA added CVE-2026-20245 to KEV on 2026-06-09. Cisco scopes the authenticated local command-injection flaw to Catalyst SD-WAN Controller, Manager, and Validator and lists fixed 20.18.3.1 and 26.1.1.2 releases as of 2026-06-10.
On this page 0% read
Executive Summary
CISA added CVE-2026-20245 to the Known Exploited Vulnerabilities catalog on 2026-06-09, with a remediation due date of 2026-06-23 CISA KEV. Cisco’s June 10 advisory version 1.5 scopes the flaw to Catalyst SD-WAN Controller, Catalyst SD-WAN Manager, and Catalyst SD-WAN Validator, regardless of configuration or deployment type Cisco.
An attacker must already hold netadmin privileges, obtained through valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. A crafted uploaded file can trigger command injection and execute commands as root. Cisco observed limited cases where exploitation resulted in configuration changes pushed to edge devices. Cisco lists 20.18.3.1 and 26.1.1.2 as fixed releases; fixes for listed 20.9, 20.12, and 20.15 trains remained future releases as of 2026-06-10 Cisco.
Key Facts
cve: "CVE-2026-20245"
vendor: "Cisco"
products:
- "Catalyst SD-WAN Controller (vSmart)"
- "Catalyst SD-WAN Manager (vManage)"
- "Catalyst SD-WAN Validator (vBond)"
vulnerability: "Authenticated local command injection and privilege escalation to root"
cwe: "CWE-116"
cvss_v31: "7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
first_published: "2026-06-04"
last_reviewed: "2026-06-10"
kev_added: "2026-06-09"
kev_due: "2026-06-23"
required_privilege: "netadmin"
precursor_cves:
- "CVE-2026-20182"
- "CVE-2026-20127"
fixed_releases:
"20.18.3": "20.18.3.1"
"26.1.1.2_and_earlier": "26.1.1.2"
pending_release_trains:
- "20.9.9.1 and earlier"
- "20.12.7.1 and earlier"
- "20.15.4.4 and earlier"
- "20.15.5.2 and earlier"
workarounds: "none"Source Confidence & Evidence Mapping
- confirmed: CISA lists the flaw as known exploited and requires action by June 23, 2026 CISA KEV.
- confirmed: Cisco requires existing
netadminaccess and identifies valid credentials, CVE-2026-20182, or CVE-2026-20127 as observed precursor paths Cisco. - confirmed: Cisco observed limited cases that pushed configuration changes to edge devices and published
/var/log/scripts.logreview guidance Cisco. - confirmed: Cisco advisory version 1.5 lists fixed releases for 20.18 and 26.1 while other listed trains remain pending Cisco.
- unknown: Cisco has not published malicious filenames, payload strings, hashes, source addresses, or actor attribution.
Impact Determination
| Classification | Criteria | Required evidence | Required action | Closure condition |
|---|---|---|---|---|
| Confirmed compromise | Unauthorized upload-script execution, root command execution, or unexplained edge configuration changes appear on an affected control component. | admin-tech, /var/log/scripts.log, AAA records, CLI history, process evidence, and edge configuration diffs. | Isolate affected control components, preserve evidence, engage Cisco TAC, rebuild or remediate per TAC guidance, and rotate administrative credentials. | Fixed release is installed and all unauthorized control-plane and edge changes are removed with TAC-supported evidence. |
| Presumed exposed | A listed affected release is present and netadmin credentials or precursor-CVE exposure cannot be excluded. | Exact release, credential audit, CVE-2026-20182/CVE-2026-20127 status, and internet exposure. | Preserve admin-tech, restrict management access, patch to an available fixed release, and review scripts and edge changes. | Fixed-release proof plus negative credential, script-log, and edge-configuration review. |
| Potentially exposed | Product is present but release, role, or deployment type is incomplete. | Inventory and control-component export. | Collect exact component roles, releases, and management exposure. | Asset is reclassified with evidence. |
| Not exposed | No affected control component exists, or an available fixed release is installed and compromise review is negative. | Inventory, version output, and audit artifacts. | Preserve closure evidence. | Evidence is attached to the asset record. |
| Unknown | Required logs, release data, or configuration history are unavailable. | Named evidence gap. | Keep the control plane in scope and engage Cisco TAC where compromise cannot be excluded. | Evidence is recovered or risk is formally accepted. |
Timeline
- 2026-06-04: Cisco publishes advisory version 1.0 Cisco.
- 2026-06-05: Cisco adds indicators-of-compromise guidance.
- 2026-06-09: CISA adds CVE-2026-20245 to KEV; Cisco expands affected-product and fixed-release information CISA alert.
- 2026-06-10: Cisco advisory version 1.5 adds release-train detail and confirms fix availability for
26.1.1.2Cisco.
Technical Analysis
The flaw is in CLI handling of an uploaded file. Insufficient validation allows a netadmin user to inject commands that execute as root. This is a post-authentication privilege-escalation stage, not a remote unauthenticated entry point. The highest-risk chain is an authentication bypass such as CVE-2026-20182 followed by CVE-2026-20245.
Cisco says the affected products include every deployment type: on-premises, Cloud-Pro, Cisco-managed cloud, and FedRAMP. Preserve an admin-tech bundle from each control component before upgrading. Applying a software update alone is not sufficient when compromise evidence exists.
Affected Assets and Blast Radius
asset_selectors:
- "Catalyst SD-WAN Controller"
- "Catalyst SD-WAN Manager"
- "Catalyst SD-WAN Validator"
- "vSmart"
- "vManage"
- "vBond"
high_value_evidence:
- "/var/log/scripts.log"
- "admin-tech bundle from each control component"
- "edge-device configuration history and diffs"Indicators And Detection Selectors
vulnerabilities:
- "CVE-2026-20245"
- "CVE-2026-20182"
- "CVE-2026-20127"
script_selectors:
- "/usr/bin/vconfd_script_upload_tenant_list.sh"
- "/usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh"
- "/usr/bin/vconfd_script_upload_chassis_number_file.sh"
log_path: "/var/log/scripts.log"The script names above are legitimate administrative commands and are not standalone IOCs. Escalate only when the actor, file path, timing, or resulting configuration change is unauthorized or unexplained.
Detection and Hunting
Script: local repository and exported telemetry scope
#!/usr/bin/env python3
import os
import sys
import json
import subprocess
from pathlib import Path
ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-cisco-sdwan-manager-cve-2026-20245-kev-scope"))
SINCE = "2026-06-09T00:00:00Z"
UNTIL = "2026-06-09T23:59:59Z"
PACKAGES = [
]
VERSIONS = [
]
FILES = [
]
DOMAINS = [
"www.cisa.gov",
"sec.cloudapps.cisco.com",
]
URLS = [
"https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx",
"https://www.cisa.gov/news-events/alerts/2026/06/09/cisa-adds-three-known-exploited-vulnerabilities-catalog",
]
IPS = [
"20.18.3.1",
"26.1.1.2",
"20.9.9.1",
"20.12.7.1",
"20.15.4.4",
"20.15.5.2",
]
HASHES = [
]
PROCESS_PATTERNS = [
]
NETWORK_PATTERNS = [
]
# Positive signal: repository, lockfile, artifact, process, or network telemetry contains one of the exact incident selectors above.
# Escalation: any match tied to a production build, CI run, deployed asset, or secret-bearing host moves the asset to presumed exposed.
OUT.mkdir(parents=True, exist_ok=True)
indicators_file = OUT / "indicators.txt"
# Collect unique indicators
indicators = set()
for group in [PACKAGES, VERSIONS, FILES, DOMAINS, URLS, IPS, HASHES, PROCESS_PATTERNS, NETWORK_PATTERNS]:
for val in group:
if val:
indicators.add(val)
with open(indicators_file, "w") as f:
for ind in sorted(indicators):
f.write(ind + "\n")
print(f"[+] Written unique selectors to {indicators_file}")
# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
dirs[:] = [d for d in dirs if d not in exclude_dirs]
for filename in filenames:
filepath = Path(root) / filename
try:
content = filepath.read_text(errors="ignore")
for ind in indicators:
if ind in content:
matches.append(f"{filepath}: found '{ind}'")
except Exception:
pass
if matches:
(OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
print(f"[!] Found {len(matches)} matches in codebase!")
# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
log_matches = []
for root, _, filenames in os.walk(LOG_ROOT):
for filename in filenames:
filepath = Path(root) / filename
try:
content = filepath.read_text(errors="ignore")
for ind in indicators:
if ind in content:
log_matches.append(f"{filepath}: found '{ind}'")
except Exception:
pass
if log_matches:
(OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
print(f"[!] Found {len(log_matches)} matches in logs!")
if PACKAGES:
registry_dir = OUT / "registry"
registry_dir.mkdir(exist_ok=True)
print(f"[+] Wrote scope artifacts under {OUT}")Remediation and Closure
- Run
request admin-techon each control component and retain relevant logs before upgrade. - Restrict management access and revoke unexplained
netadminsessions or credentials. - Upgrade 20.18 deployments to
20.18.3.1or later and 26.1 deployments to26.1.1.2or later. Contact Cisco TAC for trains whose fixed release remained pending on June 10, 2026. - Review edge-device configurations for unauthorized changes.
- When compromise is confirmed, follow Cisco TAC remediation; patching alone does not remove attacker changes or persistence.