CVE-2026-20245
Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability - [Actively Exploited]
Description
A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user. To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices. Cisco recommends that customers upgrade to the fixed software that is documented in the that was published on May 14, 2026, and verify the configuration of the edge devices.
INFO
Published Date :
June 4, 2026, 11:17 p.m.
Last Modified :
June 10, 2026, 12:59 p.m.
Remotely Exploit :
No
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Cisco Catalyst SD-WAN Manager formerly SD-WAN vManage contains an improper encoding or escaping of output vulnerability. This vulnerability could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Unknown
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx ; https://nvd.nist.gov/vuln/detail/CVE-2026-20245
Affected Products
The following products are affected by CVE-2026-20245
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Upgrade to the fixed software version.
- Verify edge device configuration.
- Apply necessary patches or updates.
- Restrict access to netadmin privileges.
Public PoC/Exploit Available at Github
CVE-2026-20245 has a 8 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-20245.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-20245 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-20245
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
CVE-2026-20245
Python
CVE-2026-20245 - Cisco SD-WAN - Draft
Personal AI system built in Python cybersecurity, OSINT, sports prediction, darknet scanning, and autonomous reasoning.
Python
tech news
Python
None
None
PowerShell Shell
None
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-20245 vulnerability anywhere in the article.
-
The Hacker News
Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access
An unknown threat actor exploited a recently disclosed high-severity security flaw impacting Cisco Catalyst SD-WAN as a zero-day at least two months before it was publicly disclosed, according to new ... Read more
-
The Hacker News
Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw
Cisco has released security updates for a medium-severity security flaw in Catalyst SD-WAN Manager that has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-20262, ca ... Read more
-
TheCyberThrone
CISA adds Cisco SD-WAN and LiteSpeed cPanel to KEV
June 16, 2026CVE-2026-20262 | Cisco Catalyst SD-WAN Manager — Path TraversalCVE-2026-20262 is a directory or path traversal vulnerability in Cisco Catalyst SD-WAN Manager. This class of flaw allows at ... Read more
-
The Cyber Express
CISA Sets 72-Hour Patch Window for Federal Systems Facing Highest Cyber Risks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has introduced a new risk-based approach to vulnerability remediation, requiring federal civilian agencies to patch the most dangerous ... Read more
-
TheCyberThrone
CISA KEV Update — Cisco Catalyst SD-WAN, Google Chrome V8 & Arista EOS
CISA added three new vulnerabilities to its Known Exploited Vulnerabilities catalog on June 9, 2026: CVE-2026-20245 (Cisco Catalyst SD-WAN Manager), CVE-2026-11645 (Google Chromium V8), and CVE-2026-7 ... Read more
-
The Hacker News
CISA Adds Cisco, Chrome, and Arista Flaws to KEV Catalog Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitati ... Read more
-
The Cyber Express
Microsoft Patches Record 200 Vulnerabilities in June 2026 Patch Tuesday
Microsoft’s June 2026 Patch Tuesday, released on June 10, 2026, addressed 200 security vulnerabilities across Windows, Office, Azure, and related products—the largest single Patch Tuesday release in t ... Read more
-
The Cyber Express
Indonesian Media Outlet Tempo Targeted by 24.9 Million DDoS Requests
A major wave of cyberattacks on Tempo has disrupted access to one of Indonesia’s leading news websites, with the media outlet reporting millions of malicious requests directed at its servers over seve ... Read more
-
TheCyberThrone
CVE-2026-28318 — SolarWinds Serv-U DoS added to CISA KEV
June 8, 2026CVE: CVE-2026-28318CVSS Score: 7.5 (High)CWE: CWE-400 — Uncontrolled Resource ConsumptionKEV Added: June 5, 2026FCEB Remediation Deadline: June 19, 2026Vulnerability OverviewThe vulnerabil ... Read more
-
The Cyber Express
Cisco Warns of Active Exploitation of Catalyst SD-WAN Flaw With No Patch Available
Cisco has issued an urgent warning that a high-severity vulnerability in its Catalyst SD-WAN Manager platform is being actively exploited in the wild—and no patch exists yet. CVE-2026-20245 allows aut ... Read more
-
TheCyberThrone
TheCyberThrone CyberSecurity Newsletter Top 5 Articles – May 2026
June 7, 2026Welcome to TheCyberThrone cybersecurity month in review will be posted covering the important security happenings. This review is for the month ending May 2026.Subscribers favorite #1PyTor ... Read more
-
TheCyberThrone
CVE-2026-20245 — Cisco Catalyst SD-WAN Manager Privilege Escalation
June 6, 2026The Core FlawCVE-2026-20245 affects the command-line interface of Cisco Catalyst SD-WAN Manager and stems from insufficient validation of user-supplied input. An authenticated local attack ... Read more
-
The Hacker News
Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available
Cisco has warned that a high-severity security flaw impacting Catalyst SD-WAN Manager has come under active exploitation. The vulnerability, tracked as CVE-2026-20245, carries a CVSS score of 7.8 out ... Read more
-
security.nl
Cisco waarschuwt voor actief misbruikt beveiligingslek in SD-WAN Manager
Cisco waarschuwt voor een actief misbruikt beveiligingslek in Cisco Catalyst SD-WAN Manager waardoor een aanvaller met toegang tot het systeem willekeurige commando's als root kan uitvoeren. Er zijn u ... Read more
-
CybersecurityNews
Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root User
Cisco has disclosed a high-severity vulnerability in its Catalyst SD-WAN Manager that is actively being exploited in the wild, allowing attackers to execute arbitrary commands with root privileges. Th ... Read more
The following table lists the changes that have been made to the
CVE-2026-20245 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jun. 10, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions up to (excluding) 20.9.9.1 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.12.6 up to (excluding) 20.12.6.2 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.13 up to (excluding) 20.15.4.4 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.15.5 up to (excluding) 20.15.5.2 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.16 up to (excluding) 20.18.2.2 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 26.1 up to (excluding) 26.1.1.1 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.7:*:*:*:*:*:*:* *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.10 up to (excluding) 20.12.5.4 *cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:* versions up to (excluding) 20.9.9.1 *cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:* versions from (including) 20.10 up to (excluding) 20.12.5.4 *cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:* versions from (including) 20.12.6 up to (excluding) 20.12.6.2 *cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:* versions from (including) 20.13 up to (excluding) 20.15.4.4 *cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:* versions from (including) 20.15.5 up to (excluding) 20.15.5.2 *cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:* versions from (including) 20.16 up to (excluding) 20.18.2.2 *cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:* versions from (including) 26.1 up to (excluding) 26.1.1.1 *cpe:2.3:a:cisco:sd-wan_vsmart_controller:20.12.7:*:*:*:*:*:*:* Added Reference Type Cisco Systems, Inc.: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx Types: Vendor Advisory Added Reference Type Cisco Systems, Inc.: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW Types: Vendor Advisory Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20245 Types: US Government Resource -
CVE Modified by [email protected]
Jun. 09, 2026
Action Type Old Value New Value Changed Description A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user. To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices. Cisco recommends that customers upgrade to the fixed software that is documented in the that was published on May 14, 2026, and verify the configuration of the edge devices. A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user. To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices. Cisco recommends that customers upgrade to the fixed software that is documented in the that was published on May 14, 2026, and verify the configuration of the edge devices. -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 09, 2026
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20245 -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jun. 09, 2026
Action Type Old Value New Value Added Date Added 2026-06-09 Added Due Date 2026-06-09 Added Required Action 2026-06-09 Added Vulnerability Name 2026-06-09 -
New CVE Received by [email protected]
Jun. 04, 2026
Action Type Old Value New Value Added Description A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user. To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices. Cisco recommends that customers upgrade to the fixed software that is documented in the that was published on May 14, 2026, and verify the configuration of the edge devices. Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-116 Added Reference https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx Added Reference https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW