Critical Cisco Catalyst SD-WAN Manager Vulnerability (CVE-2026-20245) Actively Exploited as Zero-Day

A high-severity command injection flaw (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager has been actively exploited as a zero-day for months. Attackers are using a crafted file to run root commands, affecting both on-premises and Cisco-managed cloud deployments. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, urging organizations to patch immediately.

Context

CVE-2026-20245 is a command injection flaw that has been identified in Cisco's SD-WAN Manager, affecting both on-premises and cloud environments. The vulnerability has been actively exploited for several months, prompting concern from cybersecurity authorities. The Cybersecurity and Infrastructure Security Agency (CISA) has included it in its Known Exploited Vulnerabilities catalog, emphasizing its severity.

Why it matters

The exploitation of the CVE-2026-20245 vulnerability poses significant risks to organizations using Cisco Catalyst SD-WAN Manager. If left unaddressed, it could lead to unauthorized access and control over critical network resources. This situation highlights the importance of timely software updates and vulnerability management in cybersecurity.

Implications

The active exploitation of this vulnerability could lead to data breaches and operational disruptions for affected organizations. Businesses relying on Cisco's SD-WAN technology may face increased scrutiny from regulators and customers regarding their cybersecurity practices. Additionally, this incident may prompt a broader discussion on the need for robust security measures in network management solutions.

What to watch

Organizations using Cisco Catalyst SD-WAN Manager should prioritize applying the recommended patches to mitigate the risk of exploitation. Monitoring for unusual network activity may also be crucial in identifying potential breaches. Future updates from Cisco and CISA will be important to track as the situation evolves.