A critical vulnerability in Cisco SD-WAN Manager, tracked as CVE-2026-20245, allows attackers to execute arbitrary commands as root on affected instances. Cisco has confirmed active exploitation in the wild. Cisco SD-WAN Manager is the centralised network management and orchestration platform for software-defined wide area network deployments, managing routing, security, and connectivity for branch offices and remote sites across entire organisations.
What Is the Vulnerability?
CVE-2026-20245 is a command injection vulnerability in Cisco SD-WAN Manager (formerly Cisco SD-WAN vManage). The vulnerability allows an attacker to execute arbitrary operating system commands with root privileges on the SD-WAN Manager server. Root-level command execution on the central management platform gives the attacker full control over the SD-WAN fabric.
Cisco SD-WAN Manager is the single point of configuration and policy management for all SD-WAN edge devices in an organisation’s deployment. From this platform, administrators define routing policies, VPN configurations, security policies, firewall rules, and quality-of-service settings that are pushed to every managed SD-WAN router across all sites. A root-compromised SD-WAN Manager gives an attacker the ability to:
- Reconfigure routing to redirect or intercept traffic across all managed branch offices and remote sites
- Modify or disable security policies, including firewall rules and intrusion prevention
- Manipulate VPN tunnels to gain unauthorised access to branch networks
- Deploy malicious configurations to all managed SD-WAN edge devices simultaneously
- Access all managed device credentials and network topology information
- CVSS v3.1 Score: 9.8 (Critical — estimated)
- Attack Vector: Network
- Privileges Required: None — unauthenticated
- Status: Actively exploited in the wild
Which Versions Are Affected?
Cisco SD-WAN Manager — specific affected versions are detailed in the Cisco security advisory. Administrators should consult the advisory for the exact fixed software versions for their release train.
Is It Being Exploited in the Wild?
Yes — Cisco has confirmed active exploitation. This is not a theoretical risk. Attackers are actively targeting Cisco SD-WAN Manager instances. Cisco SD-WAN is deployed across enterprise, retail, financial services, government, and healthcare environments globally — the attack surface is large and the impact of compromise is organisation-wide.
What Is the Fix?
Cisco has released software updates addressing CVE-2026-20245. Apply the patched SD-WAN Manager version immediately. The Cisco advisory provides specific fixed versions for each release train. After updating, verify the installed version and audit SD-WAN Manager administrative logs for unauthorised configuration changes, unexpected administrative user creation, and unusual command execution.
Recommendations
Patch today. Confirmed active exploitation plus root-level command execution on a central network management platform is an emergency-patch scenario with no room for delay.
Verify SD-WAN Manager is not internet-facing. The management interface for SD-WAN infrastructure should never be accessible from the internet or untrusted networks. Verify access control lists restrict management access to authorised administrative networks only.
Audit managed device configurations. After patching, compare the current configuration of all managed SD-WAN edge devices against known-good baseline configurations. Look for unauthorised routing changes, new VPN tunnels, modified security policies, or unexpected administrative accounts.
Rotate credentials. If exploitation is suspected or your SD-WAN Manager was unpatched during the exploitation window, rotate all credentials accessible from the platform: SD-WAN Manager admin accounts, edge device credentials, VPN pre-shared keys, and any API tokens or integration credentials.
References
This advisory was first covered in the broader Vulnerability Intelligence Report — June 5, 2026.
