Cisco Confirms Seventh Zero-Day in SD-WAN in 2026 Actively Exploited, No Fix Available

Seventh Zero-Day in Five Months on the Same Product

On June 5, Cisco confirmed that the Catalyst SD-WAN Manager is being actively exploited through CVE-2026-20245, a root privilege escalation vulnerability that currently has no fix available. This marks the seventh zero-day recorded on the same product exploited in 2026, a number highlighted by SecurityWeek to contextualize the alert. The security advisory was published by Cisco on June 4; specialized coverage followed the next day. The discovery was reported by three researchers from Google Mandiant: Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan, all credited in the company’s official advisory.

Cisco has observed limited instances of active exploitation, resulting in the propagation of configuration changes in edge devices. This indicates that attackers not only escalated privileges internally but also used root access to modify the downstream network environment, injecting configurations into the very edge devices managed by the compromised system.

Technique and Exploitation Chain

CVE-2026-20245 has a CVSS score of 7.8 and resides in the command-line interface (CLI) of the Catalyst SD-WAN Manager. The root of the issue is insufficient validation of user-provided inputs: an attacker with netadmin privileges can upload a specially crafted file and execute arbitrary commands as root. The vector requires local authentication, which would typically position the threat at a moderate impact level.

However, the context shifts the calculation. CVE-2026-20182, exploited as a zero-day in May 2026, and CVE-2026-20127, used by an actor described by Cisco as "highly sophisticated" since 2023, provide the necessary entry path for a remote attacker to acquire the netadmin credentials required by the new vulnerability. The three CVEs form an escalation chain starting from unauthenticated remote access and ending with root over the system that manages the entire SD-WAN mesh. Cisco confirmed that CVE-2026-20245 affects all deployment models: on-premises, Cloud-Pro, Cisco Managed Cloud, and Government (FedRAMP). There is no patch, and no workaround.

Why Seven Zero-Days on the Same Product is Different from Seven Isolated Incidents

Recurrence establishes a pattern different from individual incidents. Seven zero-days in the Catalyst SD-WAN Manager within less than five months indicate a systematically underestimated attack surface, invalidating any vulnerability management cycle based on periodicity. No monthly patch regime, no matter how rigorous, can close a zero-day that is actively exploited without a fix available. The question that security managers need to answer is not when the patch arrives: it is how many actors have already established persistence before it exists.

For security teams with deployments of the Catalyst SD-WAN Manager, Cisco has recommended monitoring logs for the specific indicators of compromise (IOCs) disclosed in the advisory. Additional surface reduction measures include isolating the SD-WAN Manager from the general management network and removing unnecessary netadmin accounts; none of these measures eliminate the risk while the access chain formed by CVE-2026-20182 and CVE-2026-20127 remains unmitigated.

Global Outlook: Delivery Centers in India and Financial Networks in Europe

Cisco's Catalyst SD-WAN is the leading solution in large enterprise networks across multiple geographies. In India’s IT service delivery centers, TCS, Infosys, and Wipro operate extensive Cisco SD-WAN networks to connect their centers in Chennai, Pune, and Bangalore to global customers. A malicious configuration injected into these delivery hubs, following the attack pattern observed by Cisco, not only affects the provider: it traverses the VPN tunnels to the end-customer environments, transforming the compromised manager into an entry point for a IT supply chain serving hundreds of companies in the U.S., Europe, and Japan.

In Europe, companies in the financial and manufacturing sectors in the UK, Germany, and the Netherlands lead the adoption of Cisco SD-WAN in large-scale corporate and government deployments. The product's presence in American FedRAMP environments and European financial networks simultaneously extends the potential impact radius beyond what the CVSS 7.8 individually suggests. For a CISO of a bank or consultancy with offices in the U.S., UK, and delivery centers in India, CVE-2026-20245 is not a medium severity vulnerability: it is the terminal piece of a chain of three vulnerabilities that begins with unauthenticated remote access and ends with root over the system that controls the entire network.