{"id":8417,"date":"2026-06-08T21:48:02","date_gmt":"2026-06-08T21:48:02","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8417"},"modified":"2026-06-08T21:48:02","modified_gmt":"2026-06-08T21:48:02","slug":"attackers-exploiting-unpatched-cisco-sd-wan-flaw","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8417","title":{"rendered":"Attackers exploiting unpatched Cisco SD-WAN flaw"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Cisco warns customers of an actively exploited high-severity vulnerability in Catalyst SD-WAN Manager, an enterprise network management system that has been targeted by hackers multiple times in the past. Located in the command-line interface, the flaw allows authenticated attackers to escalate privileges to root and take over the entire system.<\/p>\n<p>The vulnerability, tracked as CVE-2026-20245, is rated 7.8 (high) on the CVSS scale instead of critical because it requires local access and netadmin privileges to exploit. These privileges can be obtained via stolen credentials or by exploiting authentication bypass flaws, such as CVE-2026-20245 or CVE-2026-20127, which were fixed in May and February, respectively.<\/p>\n<p>The older authentication bypass flaws were exploited by a cyberespionage threat actor Cisco Talos <a href=\"https:\/\/blog.talosintelligence.com\/uat-8616-sd-wan\/\">tracks as UAT-8616<\/a>. It\u2019s not clear whether the new vulnerability was exploited by the same group as part of its campaigns against enterprise SD-WAN deployments, but it was reported to Cisco by Google\u2019s Mandiant division, which specializes in incident response.<\/p>\n<p>\u201cThis vulnerability is due to insufficient validation of user-supplied input,\u201d Cisco said in <a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-sdwan-privesc-4uxFrdzx\">its advisory<\/a>. \u201cAn attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Mitigation<\/h2>\n<p>While a patch is not yet available, Cisco recommends upgrading to the latest available version to ensure the previous authentication bypass exploits don\u2019t work. Customers should also check the configuration of their edge devices because the company has observed cases where exploitation of this flaw resulted in configuration changes.<\/p>\n<p>Before upgrading SD-WAN deployments, users are advised to save all relevant log files and issue the request admin-tech command to collect the admin-tech file from each of the control components.<\/p>\n<p>Cisco has published indicators of compromise that should be visible in the scripts.log file from \/var\/log\/. However, it\u2019s hard to distinguish malicious and legitimate command calls in the logs, so if the indicators of compromise are present in the logs, customers should contact the Technical Assistance Center.<\/p>\n<p>\u201cIf the logs show indicators of compromise and the system is confirmed to be compromised, applying the software update alone will not resolve the vulnerability,\u201d the company said. \u201cIn such cases, follow the specific remediation steps that will be provided by the Cisco Technical Assistance Center (TAC) to help secure the system.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Cisco warns customers of an actively exploited high-severity vulnerability in Catalyst SD-WAN Manager, an enterprise network management system that has been targeted by hackers multiple times in the past. Located in the command-line interface, the flaw allows authenticated attackers to escalate privileges to root and take over the entire system. The vulnerability, tracked as CVE-2026-20245, [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8418,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8417","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8417"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8417"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8417\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8418"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8417"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8417"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}