Cisco has issued a warning regarding a newly discovered high-severity vulnerability in its Catalyst SD-WAN Manager, which puts customers at risk as it is currently being exploited by attackers. This vulnerability, identified as CVE-2026-20245, allows authenticated users to escalate their privileges and potentially gain complete control over the enterprise network management system.
The flaw is rated 7.8 on the CVSS scale, which indicates a high level of severity but does not reach critical status. This is primarily because the vulnerability requires local access and administrative privileges, which can be obtained through stolen credentials or by exploiting previous authentication bypass flaws that Cisco has recently patched.
Cisco’s security team, Cisco Talos, has been monitoring an associated cyberespionage threat actor known as UAT-8616, known for exploiting other vulnerabilities in the same environment. While it’s uncertain if this group is using the newly discovered flaw, Mandiant, a division of Google focusing on incident response, brought this issue to Cisco’s attention.
Cisco’s advisory states that the vulnerability stems from insufficient validation of user inputs. An attacker could exploit it by uploading malicious files that enable command injection and privilege escalation.
As of now, there isn’t a patch available to fix the flaw. Cisco recommends that users move to the most recent version of the software to mitigate risks from previous exploits. However, they also advise checking configurations on edge devices, as exploitation could lead to unwanted changes.
For those managing SD-WAN deployments, it’s crucial to save log files before any upgrades. Cisco has provided indicators of compromise that should be monitored in system logs. If these indicators are found, users are encouraged to reach out to the Cisco Technical Assistance Center for guidance on remediation.
For more detailed information, you can refer to Cisco’s official advisory here.
