Cisco warns of unpatched SD-WAN zero-day exploited in attacks

Cisco Catalyst SD-WAN Manager has an unpatched zero-day (CVE-2026-20245) being actively exploited to gain root access. Local attackers with netadmin privileges can bypass input validation and execute arbitrary commands, leading to unauthorized configuration changes on edge devices. Any organization running vulnerable SD-WAN Manager instances is at immediate risk.

CRITICALAdvisoryJun 06, 2026

Action required

Immediately inventory all Cisco Catalyst SD-WAN Manager instances in your environment. Cross-reference against provided IOCs for signs of exploitation. If you cannot patch, isolate affected managers from production networks and restrict netadmin access until a fix is available.

Affected products

CiscoCisco Catalyst SD-WAN ManagerCisco SD-WAN Cloud-ProCisco SD-WAN for GovernmentGoogle Cloud (Mandiant)

CVE IDs

CVE-2026-20245

Linked articles

Cisco warns of unpatched SD-WAN zero-day exploited in attacks

Source links

https://www.bleepingcomputer.com/news/security/new-cisco-sd-wan-flaw-exploited-in-zero-day-attacks-to-gain-root/