Cisco Catalyst SD-WAN Command Injection Privilege Escalation (CVE-2026-20245)

Severity Assessment

• Exploitability: 6/10 — Exploitation requires authenticated local access with netadmin privileges, but Cisco states the attack complexity is low once that prerequisite is met.
• Impact: 9/10 — Successful exploitation can execute arbitrary commands as root on affected SD-WAN control components.
• Weaponization Risk: 7/10 — Cisco reports exploitation in June 2026 and observed limited cases where exploitation pushed a configuration change to edge devices.
• Patch Urgency: 9/10 — CISA added the vulnerability to KEV on 2026-06-09 with a 2026-06-23 required action deadline, and Cisco states that no workaround addresses the vulnerability.
• Detection Coverage: 6/10 — Cisco provides log-based indicators in scripts.log, but the advisory notes that the relevant commands can also appear during legitimate operations.

Summary

CVE-2026-20245 is an authenticated command injection vulnerability in Cisco Catalyst SD-WAN control-plane software. Cisco’s advisory covers Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart; Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage; and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond. CISA’s KEV entry names Cisco Catalyst SD-WAN Manager as the affected product.

The flaw is in the CLI path and is caused by insufficient validation of user-supplied input. Cisco states that an authenticated local attacker can exploit the vulnerability by uploading a crafted file to an affected system, executing arbitrary commands as root, and escalating privileges. NVD scores the vulnerability as CVSS 3.1 7.8 high with local attack vector, low attack complexity, low privileges required, and no user interaction.

Cisco says exploitation requires netadmin privileges on the affected system. That prerequisite can be met with valid credentials or through exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco also states it is not aware of successful exploitation by other methods. CISA added CVE-2026-20245 to the Known Exploited Vulnerabilities catalog on 2026-06-09.

Exploit Chain

Stage 1: Obtain netadmin-level access

The attacker needs netadmin privileges on an affected Cisco Catalyst SD-WAN control component. Cisco identifies valid credentials, CVE-2026-20182, and CVE-2026-20127 as paths that can satisfy this prerequisite. Public sources reviewed for this entry do not identify a specific credential-theft method or actor.

Stage 2: Upload a crafted file

The attacker supplies a crafted file to the affected system through the vulnerable CLI workflow. Cisco attributes the bug to insufficient validation of user-supplied input, and CISA maps the vulnerability to CWE-116.

Stage 3: Inject commands and escalate to root

The vulnerable component processes the crafted file in a way that permits command injection. Successful exploitation allows attackers to execute commands as the root user on the affected system. Cisco reports limited observed cases where exploitation resulted in a configuration change pushed to edge devices.

Detection Guidance

1. Identify Cisco Catalyst SD-WAN Controller, Manager, and Validator deployments and compare installed releases with Cisco’s fixed software guidance.
2. Preserve evidence before upgrading by collecting admin-tech output from each control component, as Cisco recommends.
3. Review /var/log/scripts.log on Cisco Catalyst SD-WAN Manager systems for file-upload script activity involving tenant lists, vSmart serial numbers, or chassis-number upload workflows.
4. Treat the Cisco-provided log examples as leads, not standalone proof, because Cisco notes that the same commands can occur during standard operations.
5. Verify edge-device configurations after upgrade, especially if logs show suspicious upload activity or unexpected changes near exploitation windows.
6. If logs indicate compromise, follow Cisco TAC remediation guidance; Cisco states that applying the software update alone may not resolve an already compromised system.

Indicators of Compromise

Cisco’s advisory identifies log patterns that defenders should assess against normal operations. The following behaviors are investigation leads:

• scripts.log entries for tenant-list upload scripts using unexpected file names or paths.
• scripts.log entries for vSmart serial-number upload workflows from unplanned administrative sessions.
• scripts.log entries for chassis-number upload workflows that do not match expected change windows.
• Unexpected configuration changes pushed from Cisco Catalyst SD-WAN control components to edge devices.
• Netadmin activity on SD-WAN control components from accounts, hosts, or times that do not match authorized administrative behavior.

Disclosure Timeline

• 2026-06-04: Cisco advisory published Cisco published advisory cisco-sa-sdwan-privesc-4uxFrdzx for CVE-2026-20245 with CVSS 3.1 score 7.8 high.
• 2026-06-04: NVD publication NVD published CVE-2026-20245, describing authenticated local command injection and privilege escalation to root.
• 2026-06-09: Cisco advisory updated Cisco updated the advisory to version 1.4, including affected-product and fixed-release updates.
• 2026-06-09: CISA KEV addition CISA added CVE-2026-20245 to the Known Exploited Vulnerabilities catalog.
• 2026-06-23: CISA remediation deadline CISA lists 2026-06-23 as the required action deadline for applicable federal civilian executive branch systems.

Sources & References

• Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-06-09
• National Vulnerability Database: CVE-2026-20245 — National Vulnerability Database, 2026-06-04
• Cisco PSIRT: Cisco Catalyst SD-WAN Controller, Catalyst SD-WAN Manager, and Catalyst SD-WAN Validator Authenticated Privilege Escalation Vulnerability — Cisco PSIRT, 2026-06-04