Cisco Reveals 7th Zero-Day of the Year in SD-WAN Manager with Active Exploitation and No Patch

Cisco disclosed on Friday, June 5th, a high-severity zero-day in the Catalyst SD-WAN Manager, identified as CVE-2026-20245 and with a CVSS score of 7.8. The bug allows an attacker with netadmin privileges to upload a malicious file and execute arbitrary commands as root on the appliance host. This marks the seventh zero-day in Cisco's SD-WAN products discovered under active exploitation in 2026.

The discovery came from Mandiant, a cybersecurity subsidiary of Google Cloud. The Mandiant team reported the case to Cisco's PSIRT after detecting exploitation in a customer environment. According to the official notice, "a limited number of cases" were observed where the vector was used to send configuration changes to edge devices. Cisco did not disclose the names of the affected customers or the sector involved.

No patch is available. The notice recommends upgrading to the patched software version of CVE-2026-20182, a previous zero-day disclosed on May 14, as a temporary mitigation. Cisco urges customers to restrict access to the administration interface and review upload logs for suspicious payloads. For customers using Cisco-managed SaaS, the company's team applied hardening without the need for customer action.

Why Seven Zero-Days in Six Months

The seven zero-days of the year in the SD-WAN Manager are not a statistical anomaly. The product operates at the corporate WAN perimeter, controls configurations for thousands of branches, and is a prime target for initial access in espionage and ransomware campaigns. Whoever controls the SD-WAN Manager holds the key to the entire customer network.

This week's accelerated disclosure, without an available patch, confirms that Cisco is prioritizing victim communication over an ideal release schedule. The company announced in May a change in its disclosure process: starting in July, it will publish security advisories twice a month, on the first and third Wednesdays, instead of the previous monthly cadence. The formal rationale attributes the change to an acceleration in bug discovery automation by AI tools from both offensive and defensive sides of the equation.

Who is Exposed

CVE-2026-20245 affects the entire base of Catalyst SD-WAN Manager in on-prem, Cloud-Pro, Cisco Managed Cloud, and FedRAMP deployments. The base includes accounts in the financial, healthcare, and government sectors. In January, the U.S. GAO listed Cisco SD-WAN as one of the three most used WAN solutions in federal executive agencies. In the UK, the product is in significant use across central departments under arrangements with the Crown Commercial Service. In Japan, Cisco reports presence in most of the megabanks.

The category of "netadmin privilege attacker" may seem restrictive, but in the telecom operator and MSP environment, this profile is common among outsourced engineers. Credential leakage or targeted phishing against a partner’s operations team removes the barrier. Mandiant did not publicly attribute the observed attacks to any specific actor.

For CISA, in its bulletin released on Thursday, it recommended treating this as a "zero-day under active exploitation." Federal agencies must immediately disable public access to the admin interface and activate complete logging of configuration changes. CISA has not yet added CVE-2026-20245 to the KEV Catalog, leaving the window open for private vendors to prioritize at their own convenience. The SolarWinds Serv-U CVE-2026-28318, also disclosed on the 5th with a CVSS of 7.5 for denial-of-service, was added to the KEV on the same day, with a federal remediation deadline of June 19.

The Message for the CISO Outside the U.S.

For a CISO at a bank in Frankfurt, São Paulo, or Singapore, the window of exposure between today and Cisco’s patch release is what matters. Security researchers estimate, based on Shodan scans, that there are around 1,500 instances of SD-WAN Manager directly exposed to the Internet. None of these installations should be exposed in this manner, yet they are.

In the UK, the NCSC issued a parallel alert recommending that operators of critical infrastructure designated by the NIS Regulations 2018 treat CVE-2026-20245 as a top priority for mitigation. In Germany, the BSI issued a technical note for clients of the Bund. For CIOs in the Brazilian financial sector, who standardized MPLS while transitioning to SD-WAN over the past five years, the operational point is to check whether their outsourced provider has visibility of the CVE and an active mitigation procedure before the weekend.

Cisco has promised the patch for the next release window, without specifying a date.