Cisco Customers Encounter Another SD-WAN Zero-Day Under Attack

A seventh actively exploited zero-day in Cisco's SD-WAN product line has been discovered in 2026, with the vendor confirming that CVE-2026-20245 is under active attack and that no patch is yet available. The disclosure, reported by CyberScoop, marks a troubling milestone: Cisco SD-WAN has now been the subject of seven separately exploited zero-days in a single calendar year, raising serious questions about the security posture of one of the most widely deployed enterprise WAN platforms in the world.

CVE-2026-20245: What We Know

Cisco confirmed the existence of the flaw in its Catalyst SD-WAN Manager platform. While full technical details remain restricted pending patch availability, the vulnerability is consistent with the broader pattern of SD-WAN zero-days disclosed throughout 2026 — targeting the management plane and controller infrastructure that governs enterprise-wide networking policies.

Attribute	Value
CVE ID	CVE-2026-20245
Product	Cisco Catalyst SD-WAN Manager
Status	Actively exploited in the wild
Patch Available	No — vendor advisory pending
Context	7th Cisco SD-WAN zero-day of 2026
Source	CyberScoop / Cisco confirmation

The Seventh Zero-Day: A Pattern, Not an Outlier

The string of Cisco SD-WAN zero-days in 2026 includes:

CVE-2026-20127 — SD-WAN Manager privilege escalation (CVSS 10.0)
CVE-2026-20182 — SD-WAN Controller authentication bypass (CVSS 9.8)
CVE-2026-20122 — SD-WAN Manager incorrect privileged API use
Cisco SD-WAN Cisco Webex-linked flaw (disclosed May 2026)
CVE-2026-20223 — SD-WAN secondary auth bypass (disclosed May 2026)
CVE-2026-20245-adjacent flaw patched June 5, 2026
CVE-2026-20245 — this disclosure (patch pending)

This pattern is not coincidental. Cisco SD-WAN's architecture — with a centralized vManage controller governing potentially thousands of branch WAN edge devices — makes it an exceptionally high-value target. A single successful exploitation of the management plane gives attackers:

Visibility into all WAN traffic flows across the enterprise
Ability to modify routing policies and redirect traffic
Access to credentials and VPN configurations for every managed branch
Persistent foothold in network infrastructure that is difficult to fully eradicate

No Patch Available: What to Do Now

Cisco has not yet released a fixed software version for CVE-2026-20245. In the interim, organizations should treat all SD-WAN management infrastructure as a high-priority hardening target:

Immediate Actions

Restrict management plane access:

- Limit access to vManage UI and API to specific management source IP ranges
- Enforce multi-factor authentication on all vManage administrator accounts
- Review and remove all unnecessary administrator accounts immediately

Enable enhanced audit logging:

# vManage: Administration > Audit Log
# Configure SIEM alerting for:
# - Unexpected configuration changes
# - New administrator account creation
# - API calls from unusual source IPs
# - Off-hours access to management interfaces

Segment the management plane:

Place vManage on a dedicated out-of-band management network
Implement strict firewall rules — the SD-WAN management plane should never be internet-accessible
Use Cisco's built-in RBAC to enforce least-privilege for all vManage roles

Monitor for Indicators of Compromise

Given that this is an active zero-day with no patch, organizations should assume the possibility of compromise and actively hunt for:

Indicator	What to Look For
Unexpected admin accounts	Review vManage > Administration > Manage Users
Configuration drift	Compare current SD-WAN templates against last-known-good baseline
Anomalous API activity	Review API audit logs for high-volume or unusual endpoint calls
New VPN tunnel configurations	Unauthorized VPN tunnels added to branch sites
Changes to routing policies	Modified vSmart policies or data plane templates

The Broader Enterprise Impact

Cisco SD-WAN is deployed in tens of thousands of enterprise networks globally, particularly in organizations that have undertaken SD-WAN migrations to replace MPLS with broadband-based WAN architectures. The concentration of seven zero-days in a single product family within a calendar year is, by any measure, extraordinary.

Security teams should escalate this advisory to executive leadership and the board as a material risk. The combination of:

Active exploitation with no available patch
Six prior zero-days establishing a well-worn attack pattern
The management plane's privileged position over all enterprise WAN traffic

...means that unprotected Cisco SD-WAN deployments represent a critical exposure requiring immediate compensating controls and heightened monitoring.

Cisco's Advisory Process

Cisco typically publishes security advisories and patched software releases through its Security Advisory portal. Organizations should:

Subscribe to Cisco security advisories for SD-WAN products
Monitor the Cisco Security Advisories page for patch releases
Apply the patch immediately upon availability — do not wait for a scheduled maintenance window given active exploitation

References

CVE-2026-20245: What We Know

Attribute	Value
CVE ID	CVE-2026-20245
Product	Cisco Catalyst SD-WAN Manager
Status	Actively exploited in the wild
Patch Available	No — vendor advisory pending
Context	7th Cisco SD-WAN zero-day of 2026
Source	CyberScoop / Cisco confirmation

The Seventh Zero-Day: A Pattern, Not an Outlier

The string of Cisco SD-WAN zero-days in 2026 includes:

CVE-2026-20127 — SD-WAN Manager privilege escalation (CVSS 10.0)
CVE-2026-20182 — SD-WAN Controller authentication bypass (CVSS 9.8)
CVE-2026-20122 — SD-WAN Manager incorrect privileged API use
Cisco SD-WAN Cisco Webex-linked flaw (disclosed May 2026)
CVE-2026-20223 — SD-WAN secondary auth bypass (disclosed May 2026)
CVE-2026-20245-adjacent flaw patched June 5, 2026
CVE-2026-20245 — this disclosure (patch pending)

Visibility into all WAN traffic flows across the enterprise
Ability to modify routing policies and redirect traffic
Access to credentials and VPN configurations for every managed branch
Persistent foothold in network infrastructure that is difficult to fully eradicate

No Patch Available: What to Do Now

Cisco has not yet released a fixed software version for CVE-2026-20245. In the interim, organizations should treat all SD-WAN management infrastructure as a high-priority hardening target:

Immediate Actions

Restrict management plane access:

- Limit access to vManage UI and API to specific management source IP ranges
- Enforce multi-factor authentication on all vManage administrator accounts
- Review and remove all unnecessary administrator accounts immediately

Enable enhanced audit logging:

# vManage: Administration > Audit Log
# Configure SIEM alerting for:
# - Unexpected configuration changes
# - New administrator account creation
# - API calls from unusual source IPs
# - Off-hours access to management interfaces

Segment the management plane:

Place vManage on a dedicated out-of-band management network
Implement strict firewall rules — the SD-WAN management plane should never be internet-accessible
Use Cisco's built-in RBAC to enforce least-privilege for all vManage roles

Monitor for Indicators of Compromise

Given that this is an active zero-day with no patch, organizations should assume the possibility of compromise and actively hunt for:

Indicator	What to Look For
Unexpected admin accounts	Review vManage > Administration > Manage Users
Configuration drift	Compare current SD-WAN templates against last-known-good baseline
Anomalous API activity	Review API audit logs for high-volume or unusual endpoint calls
New VPN tunnel configurations	Unauthorized VPN tunnels added to branch sites
Changes to routing policies	Modified vSmart policies or data plane templates

The Broader Enterprise Impact

Security teams should escalate this advisory to executive leadership and the board as a material risk. The combination of:

Active exploitation with no available patch
Six prior zero-days establishing a well-worn attack pattern
The management plane's privileged position over all enterprise WAN traffic

...means that unprotected Cisco SD-WAN deployments represent a critical exposure requiring immediate compensating controls and heightened monitoring.

Cisco's Advisory Process

Cisco typically publishes security advisories and patched software releases through its Security Advisory portal. Organizations should:

Subscribe to Cisco security advisories for SD-WAN products
Monitor the Cisco Security Advisories page for patch releases
Apply the patch immediately upon availability — do not wait for a scheduled maintenance window given active exploitation

Cisco Customers Encounter Another SD-WAN Zero-Day Under Attack

CVE-2026-20245: What We Know

The Seventh Zero-Day: A Pattern, Not an Outlier

No Patch Available: What to Do Now

Immediate Actions

Monitor for Indicators of Compromise

The Broader Enterprise Impact

Cisco's Advisory Process

References

Cisco Warns of Unpatched SD-WAN Zero-Day Exploited in Attacks

Cisco Catalyst SD-WAN Controller Auth Bypass Actively

Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited

Cisco Customers Encounter Another SD-WAN Zero-Day Under Attack

CVE-2026-20245: What We Know

The Seventh Zero-Day: A Pattern, Not an Outlier

No Patch Available: What to Do Now

Immediate Actions

Monitor for Indicators of Compromise

The Broader Enterprise Impact

Cisco's Advisory Process

References

Cisco Warns of Unpatched SD-WAN Zero-Day Exploited in Attacks

Cisco Catalyst SD-WAN Controller Auth Bypass Actively

Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited