CVE-2026-20245: How Cisco SD-WAN Attackers Got Root

According to Cisco's official advisory, confirmed post-exploitation activity included unauthorized configuration changes pushed to edge devices. Attackers did not sit quietly after gaining root. They used it to manipulate downstream network infrastructure - every router and branch node the SD-WAN Manager controls became a potential target.

When we reviewed Mandiant's technical disclosure and compared it against the advisory text, the attack path was unambiguous: the CLI parser trusts netadmin input without sanitization, which makes the injection trivial to execute once that session exists.

How Did Attackers Get the Netadmin Access Needed to Start?

Netadmin credentials are the entry requirement for CVE-2026-20245. Attackers reached that level one of two ways: valid stolen credentials, or prior exploitation of two other SD-WAN authentication bypass flaws. CVE-2026-20182 carries a maximum CVSS score of 10.0 and was added to the CISA KEV catalog on May 14, 2026, with a federal remediation deadline of May 17, 2026, per Tenable's FAQ. CVE-2026-20127 is the second bypass path. Both were confirmed exploited before CVE-2026-20245 entered the picture.

This chain has a clear implication for defenders: treating each CVE in isolation fails. A single unpatched authentication bypass hands an attacker netadmin access, and netadmin access hands them root via CVE-2026-20245. The two-step path from anonymous remote access to full device control is the real threat model here. Fixing the injection flaw without closing the bypass flaws leaves attackers with a working on-ramp. See also our coverage of a related Cisco flaw: Cisco Unified CM CVE-2026-20230 SSRF: Active Exploitation Reported and the associated CVE-2026-20230 advisory detail for context on how Cisco authentication flaws are being chained across product lines this year.

Who Discovered This - and Who Is Affected?

Three Google Mandiant researchers - Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan - discovered and responsibly disclosed CVE-2026-20245 to Cisco. BleepingComputer's coverage of the Mandiant technical breakdown provides additional exploit detail from that disclosure. Cisco's PSIRT learned of in-the-wild exploitation in June 2026, shortly after Mandiant's internal report.

Scope is broad. The vulnerability affects every Cisco Catalyst SD-WAN Manager deployment model:

• On-premises deployments
• Cloud-Pro environments
• Cisco Managed Cloud
• Cisco SD-WAN for Government (FedRAMP)

No organization running this platform is categorically safe without patching. For a related path-traversal flaw in the same product family, see CVE-2026-20262: Cisco Catalyst SD-WAN Manager Arbitrary File Write via Path Traversal.

Who Is Behind the Campaign?

Cisco Talos attributed the broader SD-WAN exploitation campaign to UAT-8616, a highly sophisticated threat actor whose activity dates back at least to 2023 - more than three years before public disclosure. Talos assessed this attribution with high confidence.

One of UAT-8616's stealth tactics stands out. After gaining access via authentication bypass, the group downgraded the device's software version to re-expose CVE-2022-20775 for root privilege escalation, then restored the original software version to hide the exploitation path. That version-shuffle made forensic detection significantly harder and suggests deliberate operational security.

After ZeroZenX Labs published proof-of-concept exploit code in March 2026, Cisco Talos identified 10 additional distinct threat clusters beyond UAT-8616 that began exploiting the CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 chain, per Tenable. Those clusters deployed webshells, red-team frameworks, and cryptocurrency miners - a wide range of objectives pointing to opportunistic follow-on exploitation once the initial access technique became public.

A joint advisory co-sealed by CISA, NSA, and four international partners - Australia's ASD/ACSC, Canada's Cyber Centre, New Zealand's NCSC-NZ, and the UK's NCSC - underscores the global reach of this campaign. Seven nations flagging one product family at the same time is not a routine advisory cycle.

Why Is CVE-2026-20245 the 7th SD-WAN Zero-Day That Matters?

CVE-2026-20245 is not isolated. As SecurityWeek reports, it is the seventh confirmed exploited SD-WAN flaw in 2026, following a sequence that started with CVE-2022-20775 and continued through CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133. Seven exploited vulnerabilities in one product line in one year is a targeting signal, not coincidence.

The table below maps each confirmed exploited CVE. All CVE identifiers carry a 2026 year prefix and are pre-publication identifiers at time of writing; NVD records are linked where available, and each identifier should be verified against the NIST NVD as records publish.

SD-WAN controllers are high-value targets by design. Compromise one, and an attacker can manipulate routing, intercept traffic, and push malicious configs to every edge node it manages. The access scales with the platform's own authority.

This pattern mirrors what we have documented in edge-device targeting more broadly. Edgecution Malware: Edge Extension Deploys Ransomware and UniFi OS CVSS 10.0 Flaws Actively Exploited - Patch Now both illustrate how threat actors prioritize network-adjacent control points over endpoint targets.

What to Do Now With CVE-2026-20245 Active

Apply Cisco's patch immediately. At initial disclosure on June 5, 2026, no patch or workaround yet existed. Monitor Cisco's advisory and apply fixes as soon as Cisco publishes them.

Audit netadmin accounts. Run the command below on every SD-WAN Manager instance and review each account with netadmin-level access for unfamiliar entries:

show aaa users

Check for rogue local accounts. Query and compare against your known-good baseline:

show system users

Review configuration change logs. Look for unauthorized config push events to edge devices originating from SD-WAN Manager in the period around and after June 2026.

Patch CVE-2026-20182 and CVE-2026-20127 first if you have not already. Removing the authentication bypass flaws cuts off the most likely path attackers use to reach netadmin access in the first place.

Federal agencies: CISA issued Emergency Directive 26-03 in February 2026, requiring Federal Civilian Executive Branch agencies to inventory all in-scope Cisco SD-WAN systems, collect forensic artifacts, apply patches, and hunt for compromise - covering Cisco Catalyst SD-WAN Manager and SD-WAN Controller regardless of device configuration. The June 9, 2026 KEV addition set a federal remediation deadline of June 23, 2026, per TechTimes. Confirm your status against the official CISA Known Exploited Vulnerabilities catalog.

For teams managing Cisco infrastructure alongside Windows environments, our guides on Disable WinRM Basic Authentication via Intune: Step-by-Step and Intune Unattended Remote Help: Access Windows Devices Without User Interaction cover adjacent hardening steps worth pairing with SD-WAN remediation.

Frequently Asked Questions

Does an attacker need physical access to exploit CVE-2026-20245?

No. The flaw requires only authenticated netadmin-level access, and attackers can obtain that remotely via stolen credentials or by chaining authentication bypass flaws such as CVE-2026-20182 or CVE-2026-20127. Physical proximity to the device plays no part in a successful attack.

Is CVE-2026-20245 rated Critical severity?

CVE-2026-20245 carries a CVSS score of 7.8, classified as High rather than Critical. Confirmed in-the-wild exploitation, the breadth of affected deployment types, and the root-level outcome make it operationally more dangerous than the score alone suggests.

Were all SD-WAN Manager versions affected at disclosure?

Cisco's advisory confirmed the flaw at initial disclosure on June 5, 2026 without specifying a safe upgrade version, as no patch was available yet. Administrators should check the Cisco advisory page directly for updated version guidance as fixes release.

What did attackers do after gaining root?

Cisco confirmed limited cases where post-exploitation activity included unauthorized configuration changes pushed to edge devices. Attackers used root access to manipulate the managed network fabric - not just the SD-WAN Manager host itself.

Which threat actor drove this campaign?

Cisco Talos attributed the campaign to UAT-8616, a sophisticated actor active since at least 2023. After public proof-of-concept code appeared in March 2026, ten additional threat clusters joined in - deploying tools from webshells to cryptocurrency miners.