Cisco SD-WAN CLI RCE, actively exploited (CVE-2026-20245) [PoC]

Actively exploited in the wild - CVE-2026-20245 is a high-severity command injection vulnerability in Cisco Catalyst SD-WAN Controller, Manager, and Validator that lets an authenticated attacker with netadmin privileges execute arbitrary commands as root. Cisco published fixes on May 14, 2026; upgrade immediately.

Overview

CVE-2026-20245 is a command injection vulnerability in the CLI of Cisco Catalyst SD-WAN Controller (formerly vSmart), Cisco Catalyst SD-WAN Manager (formerly vManage), and Cisco Catalyst SD-WAN Validator (formerly vBond). The flaw stems from insufficient validation of user-supplied input when processing uploaded files.

An authenticated attacker with netadmin privileges can exploit this by uploading a crafted file to the affected system. Successful exploitation allows the attacker to execute arbitrary operating-system commands as root, effectively elevating their privileges from a privileged user to full root control. Cisco has observed limited cases where this exploitation resulted in a configuration change being pushed to edge devices, expanding the attack’s reach.

Impact

• CVSS Score: 7.8 (HIGH)
• Attack Vector: LOCAL
• Privileges Required: LOW (netadmin)
• User Interaction: NONE

The vulnerability is rated as High severity on the CVSS scale. A successful exploit gives the attacker root-level command execution, enabling persistent backdoors, data exfiltration, or further pivoting within the SD-WAN infrastructure. Because the attacker must first have netadmin credentials (or exploit another vulnerability to obtain them), the attack surface is limited to already trusted operators, but the root escalation makes it particularly dangerous for supply-chain attacks or internal threats.

Active Exploitation and CISA KEV

CISA has added CVE-2026-20245 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. Despite a low EPSS score of 0.1% (indicating relatively infrequent exploitation in the next 30 days), the confirmed active exploitation and real-world impact on edge device configurations make this a high-priority fix.

Remediation

Cisco strongly recommends upgrading to the fixed software version documented in the security advisory published on May 14, 2026. No workarounds are available. Administrators should also verify the configuration of all edge devices for unauthorized changes that may have been pushed during exploitation.

Related Reading

• Weekly Threat Roundup: Cisco SD-WAN Zero-Day Under Attack (May 11-17)
• Cisco SD-WAN auth bypass exploited as zero-day
• Weekly Threat Roundup: Apache & cPanel Zero-Days (Apr 27 - May 3)

Security Insight

The CVE-2026-20245 command injection follows a recurring pattern in Cisco SD-WAN vulnerabilities: file-upload processing that fails to sanitize user input. Combined with the earlier auth bypass zero-days in the same product family, it paints a picture of systemic input-validation weaknesses in Cisco’s SD-WAN codebase. Organizations relying on Cisco SD-WAN should treat these vulnerabilities as an alert to audit all CLI and file-upload paths for similar flaws, as attackers are clearly focusing on this attack surface.

Further Reading

• Weekly Threat Roundup: Cisco SD-WAN Zero-Day Under Attack (May 11-17)
• Cisco SD-WAN auth bypass exploited as zero-day
• Weekly Threat Roundup: Apache & cPanel Zero-Days (Apr 27 - May 3)
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs