A high-severity zero-day flaw in Cisco Catalyst SD-WAN Manager (CVE-2026-20245) is under active exploitation, allowing attackers with authenticated access to upload crafted files and gain root privileges.

Exploitation has been observed in a limited number of cases, prompting a configuration change on edge devices; there are currently no patches or workarounds available.

Exploitation requires netadmin privileges, which can be obtained via stolen credentials or exploitation of prior vulnerabilities (CVE-2026-20182 or CVE-2026-20127), with no patched workaround at this time.

Cisco has provided indicators of compromise (IoCs) to aid detection and investigation.

If indicators of compromise exist, patches alone may not be sufficient; Cisco TAC remediation steps will be issued to secure the system after compromise is confirmed.

Logs may not reliably distinguish legitimate commands from abuse; careful log review is recommended, including scrutiny of vmanage and vScript entries.

The flaw is being mitigated by May updates; future releases are expected to include additional security fixes, with no temporary workarounds available.

Cisco acknowledges Mandiant for reporting the flaw and provides log-based IoCs to help detect exploitation.

Advisory emphasizes monitoring and investigation, including checking /var/log/scripts.log for malicious attempts and using IoCs to assess compromise.

Cisco recommends upgrading to fixed software released in May 2026 for CVE-2026-20182 and notes that a patch for CVE-2026-20245 will come later; customers should contact Cisco TAC for assistance.

There are no available workarounds; upgrade to fixed software for CVE-2026-20182 and carefully verify edge-device configurations for signs of compromise.

No patch is available yet for CVE-2026-20245; upgrade to software fixed for CVE-2026-20182 when possible and review admin-tech files and potential indicators of compromise with TAC support.