Cisco Warns of Unpatched SD-WAN Zero-Day Exploited in Attacks

Cisco has issued an urgent security advisory warning customers about an actively exploited zero-day vulnerability in Cisco Catalyst SD-WAN Manager (tracked as CVE-2026-20245) that allows attackers to escalate privileges to root on affected systems. Critically, no patch is available at the time of disclosure — organizations running vulnerable deployments must rely on mitigations while awaiting an official fix.

What Is CVE-2026-20245?

The zero-day resides in Cisco Catalyst SD-WAN Manager, the centralized orchestration and management platform for Cisco SD-WAN deployments. The flaw allows authenticated attackers (or attackers who have gained initial access to the management plane) to escalate their privileges to root level on the underlying operating system.

Root access to the SD-WAN Manager is equivalent to full control over all SD-WAN routing policies, segmentation rules, and WAN configurations managed by the platform — including the ability to push changes to all connected branch sites.

Active Exploitation in the Wild

Cisco confirmed the zero-day is under active exploitation at the time of the advisory — meaning threat actors are already using this vulnerability in real attacks, not just proof-of-concept demonstrations. The vendor has not disclosed specific details about the threat actors involved or the scale of exploitation.

The vulnerability's severity is compounded by:

No patch available — Cisco has not yet released a fixed software version
Centralized blast radius — Compromising SD-WAN Manager gives an attacker reach over all managed branch and WAN sites
Management plane exposure — SD-WAN Manager interfaces are frequently exposed to internal networks and, in some deployments, the internet

Who Is Affected?

Organizations running Cisco Catalyst SD-WAN Manager should review the official Cisco Security Advisory for the list of affected software versions. Environments where:

The SD-WAN Manager web UI or API is reachable by untrusted users
Remote access to the management interface is permitted without additional access controls
Multi-tenant SD-WAN deployments are managed from a shared SD-WAN Manager instance

...face elevated risk from this zero-day.

Recommended Mitigations

Since no patch is available, Cisco and security practitioners recommend the following interim mitigations:

Restrict management plane access — Immediately limit access to the SD-WAN Manager UI and API to trusted management IP ranges using firewall ACLs. The management interface should never be internet-accessible.
Enable multi-factor authentication — Ensure all accounts with access to the SD-WAN Manager are protected by MFA to reduce the risk of credential theft enabling exploitation.
Review recent privilege changes — Audit SD-WAN Manager logs for any unexpected privilege escalation events, new administrative account creation, or unusual configuration changes pushed to branch devices.
Monitor for suspicious activity — Look for anomalous API calls, unexpected configuration pushes to branch sites, or unusual process execution on the SD-WAN Manager host.
Apply defense-in-depth — Segment the SD-WAN Manager from general corporate network access and ensure all management traffic passes through monitored security controls.

Why SD-WAN Manager Compromise Is High Stakes

Cisco Catalyst SD-WAN Manager sits at the heart of enterprise WAN infrastructure. A successful compromise means an attacker with root access can:

Modify or delete routing policies across all managed sites
Extract VPN configurations, credentials, and network topology data
Redirect WAN traffic to attacker-controlled infrastructure
Disable security controls enforced through SD-WAN policies
Establish persistent backdoor access to the management plane

The combination of an unpatched zero-day and active exploitation makes this an emergency-priority item for all organizations running the affected platform.

Cisco's Response

Cisco stated it is working on a software fix and expects to release patched versions on an accelerated timeline. Organizations should monitor Cisco's Security Advisories portal and subscribe to notifications for CVE-2026-20245 to receive patch availability updates immediately.

References

What Is CVE-2026-20245?

Active Exploitation in the Wild

The vulnerability's severity is compounded by:

No patch available — Cisco has not yet released a fixed software version

Centralized blast radius — Compromising SD-WAN Manager gives an attacker reach over all managed branch and WAN sites

Management plane exposure — SD-WAN Manager interfaces are frequently exposed to internal networks and, in some deployments, the internet

Who Is Affected?

Organizations running Cisco Catalyst SD-WAN Manager should review the official Cisco Security Advisory for the list of affected software versions. Environments where:

The SD-WAN Manager web UI or API is reachable by untrusted users

Remote access to the management interface is permitted without additional access controls

Multi-tenant SD-WAN deployments are managed from a shared SD-WAN Manager instance

...face elevated risk from this zero-day.

Recommended Mitigations

Since no patch is available, Cisco and security practitioners recommend the following interim mitigations:

Restrict management plane access — Immediately limit access to the SD-WAN Manager UI and API to trusted management IP ranges using firewall ACLs. The management interface should never be internet-accessible.

Enable multi-factor authentication — Ensure all accounts with access to the SD-WAN Manager are protected by MFA to reduce the risk of credential theft enabling exploitation.

Review recent privilege changes — Audit SD-WAN Manager logs for any unexpected privilege escalation events, new administrative account creation, or unusual configuration changes pushed to branch devices.

Monitor for suspicious activity — Look for anomalous API calls, unexpected configuration pushes to branch sites, or unusual process execution on the SD-WAN Manager host.

Apply defense-in-depth — Segment the SD-WAN Manager from general corporate network access and ensure all management traffic passes through monitored security controls.

Why SD-WAN Manager Compromise Is High Stakes

Cisco Catalyst SD-WAN Manager sits at the heart of enterprise WAN infrastructure. A successful compromise means an attacker with root access can:

Modify or delete routing policies across all managed sites

Extract VPN configurations, credentials, and network topology data

Redirect WAN traffic to attacker-controlled infrastructure

Disable security controls enforced through SD-WAN policies

Establish persistent backdoor access to the management plane

The combination of an unpatched zero-day and active exploitation makes this an emergency-priority item for all organizations running the affected platform.

Cisco Warns of Unpatched SD-WAN Zero-Day Exploited in Attacks

What Is CVE-2026-20245?

Active Exploitation in the Wild

Who Is Affected?

Recommended Mitigations

Why SD-WAN Manager Compromise Is High Stakes

Cisco's Response

References

Cisco Catalyst SD-WAN Controller Auth Bypass Actively

Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited

Cisco Warns of Unpatched SD-WAN Zero-Day Exploited in Attacks

What Is CVE-2026-20245?

Active Exploitation in the Wild

Who Is Affected?

Recommended Mitigations

Why SD-WAN Manager Compromise Is High Stakes

Cisco's Response

References

Cisco Catalyst SD-WAN Controller Auth Bypass Actively

Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited