Cisco Warns of Active Exploitation of Catalyst SD-WAN Flaw With No Patch Available

Cisco’s Catalyst SD‑WAN Manager sits at the heart of modern wide‑area network orchestration, directing traffic between branch offices, data centers, and cloud environments. The newly disclosed CVE‑2026‑20245 exploits a flaw in the command‑line interface that fails to validate user‑supplied file arguments, granting authenticated netadmin users the ability to run arbitrary OS commands with root privileges. By chaining this weakness with two earlier CVEs, threat actors can bypass the netadmin prerequisite altogether, turning a privileged‑only bug into a broader attack vector.

The ramifications extend far beyond a single organization. Managed service providers and telecom carriers that use Cisco’s SD‑WAN platform to control multiple customer sites face a potential cross‑tenant breach, where a single compromised manager could rewrite configurations on thousands of downstream edge devices. Such a scenario threatens traffic integrity, enables covert data exfiltration, and could be leveraged to launch ransomware or espionage campaigns at scale. The active‑exploitation status underscores the urgency for security teams to treat the management plane as a critical asset and to reassess existing segmentation and monitoring controls.

In the absence of an official patch, Cisco’s interim guidance emphasizes a defense‑in‑depth approach: audit and prune netadmin accounts, enforce multi‑factor authentication, and lock down file‑upload capabilities to the minimum required. Continuous log monitoring for anomalous CLI activity, network segmentation of the management interface, and rapid configuration audits of edge devices are essential to detect and contain any malicious changes. Enterprises should also maintain a vigilant patch‑management pipeline, ensuring that once Cisco releases a fix, it is deployed without delay to mitigate this high‑impact threat.