Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: sd-wan (3 articles)Clear

Cisco patches exploited SD-WAN Manager flaw that gives root access

Cisco has patched a flaw in Catalyst SD-WAN Manager (formerly vManage), the console used to manage thousands of SD-WAN devices, that attackers were already exploiting as a zero-day to gain root. The bug (CVE-2026-20262) stems from weak validation of file uploads in the web interface, letting an authenticated low-privilege remote attacker create or overwrite any file on the system by sending crafted HTTP requests, and from there run commands as root. It affects every deployment type, including on-premises, Cisco-managed cloud, and the FedRAMP government edition, regardless of configuration. It is the latest in a run of exploited Cisco SD-WAN Manager zero-days this year.

Check
Identify Catalyst SD-WAN Manager instances and versions, and before upgrading run the request admin-tech command on each control component to preserve evidence, then review file-upload and web UI logs.
Affected
Cisco Catalyst SD-WAN Manager (formerly vManage) across all deployment types, including on-premises, Cloud-Pro, Cisco-managed cloud, and the FedRAMP government edition (CVE-2026-20262), regardless of device configuration.
Fix
Upgrade to the fixed Catalyst SD-WAN Manager release now, restrict management-interface access to trusted administrators and networks, and audit for unauthorized files or configuration changes pushed to edge devices.

Cisco SD-WAN Manager zero-day exploited to gain root, no patch yet

Cisco has warned of an actively exploited, unpatched zero-day in Cisco Catalyst SD-WAN Manager (CVE-2026-20245) that enables root privilege escalation across all deployment types, including on-prem, Cloud, Managed, and FedRAMP Government. The flaw stems from insufficient validation of user-supplied input: an attacker who uploads a crafted file can perform command injection and run arbitrary commands as root. Exploitation requires netadmin privileges - obtained via valid credentials or by chaining CVE-2026-20182 or CVE-2026-20127. Mandiant reported the activity to Cisco's PSIRT in June. Cisco has observed limited cases where exploitation pushed configuration changes to edge devices, and published IoCs pointing to suspicious tenant-list uploads in scripts.log.

Check
Inventory Cisco Catalyst SD-WAN Manager instances (all deployment types). Check /var/log/scripts.log for suspicious tenant-list uploads per Cisco's IoCs. Verify netadmin accounts and confirm CVE-2026-20182/20127 are patched.
Affected
All Cisco Catalyst SD-WAN Manager deployments (on-prem, Cloud, Managed, FedRAMP). Root-level command injection via crafted file upload; requires netadmin privileges, obtainable by chaining CVE-2026-20182 or CVE-2026-20127. No patch yet.
Fix
No patch available. Restrict netadmin access, enforce strong credentials and MFA, and patch the chainable CVE-2026-20182/20127. Apply Cisco IoCs and monitor scripts.log and edge-device config changes.

Cisco Catalyst SD-WAN Manager flaw added to CISA KEV with 4-day federal patch deadline - actively exploited (CVE-2026-20133)

CISA added a Cisco Catalyst SD-WAN Manager information disclosure flaw to its Known Exploited Vulnerabilities catalog on Monday, ordering federal agencies to patch by Friday, April 24 - an unusually aggressive 4-day deadline that reflects confirmed active exploitation. CVE-2026-20133 is an unauthenticated remote flaw in the SD-WAN Manager (formerly vManage) API, caused by insufficient file system access restrictions. An attacker can access the API and read sensitive information from the underlying operating system - including credentials that enable follow-on attacks. Cisco patched it in late February alongside two other SD-WAN Manager flaws (CVE-2026-20128 and CVE-2026-20122, both also added to KEV this week and confirmed exploited in the wild). Catalyst SD-WAN Manager is used to centrally manage up to 6,000 SD-WAN devices from one dashboard, making it a high-value target. Oddly, Cisco's PSIRT still says they have no evidence of public exploitation - contradicting CISA. CISA is treating its own intelligence as authoritative and has issued Emergency Directive 26-03 plus a Hunt & Hardening Guide for Cisco SD-WAN. Over the past several years CISA has tagged 91 Cisco vulnerabilities as exploited in the wild, six used by ransomware operations.

Check
If you run Cisco Catalyst SD-WAN Manager (or the old vManage), patch today. CISA's 4-day federal deadline is the clearest signal yet that exploitation is widespread.
Affected
Cisco Catalyst SD-WAN Manager (formerly vManage) running versions prior to the February 2026 security update. Three CVEs are in play: CVE-2026-20133 (unauthenticated information disclosure, just added to KEV), CVE-2026-20128 (recoverable password storage), and CVE-2026-20122 (incorrect privileged API use). All three are confirmed exploited in the wild.
Fix
Apply Cisco's February 2026 security update for Catalyst SD-WAN Manager which fixes all three CVEs. If patching is delayed beyond April 24, follow CISA's Hunt & Hardening Guidance for Cisco SD-WAN Devices - restrict API access to trusted admin IPs only and review API access logs for unusual file-system-related requests over the past 60 days. Rotate any credentials stored on the SD-WAN Manager, as CVE-2026-20128 exposes them in recoverable format.