Cisco Catalyst SD-WAN Manager Privilege Escalation Vulnerability

Byadmblake June 9, 2026

What is the Vulnerability? Cisco has disclosed a critical security vulnerability, CVE-2026-20245, affecting Cisco Catalyst SD-WAN Manager and confirmed that it is being actively exploited in the wild. The vulnerability resides in the platform’s command-line interface (CLI) and allows an authenticated attacker with netadmin privileges to execute arbitrary commands as root on the underlying operating…

What is the Vulnerability?

Cisco has disclosed a critical security vulnerability, CVE-2026-20245, affecting Cisco Catalyst SD-WAN Manager and confirmed that it is being actively exploited in the wild. The vulnerability resides in the platform’s command-line interface (CLI) and allows an authenticated attacker with netadmin privileges to execute arbitrary commands as root on the underlying operating system.

According to Cisco, successful exploitation has been observed in real-world attacks and has resulted in unauthorized configuration changes being pushed to managed SD-WAN edge devices. At the time of disclosure, Cisco had not released a software fix or workaround and instead provided indicators of compromise and investigation guidance to assist affected organizations.

What is the recommended Mitigation?

• Restrict access to SD-WAN Manager administrative interfaces to trusted management networks.

• Review Cisco-provided indicators of compromise and audit logs for evidence of suspicious file uploads, root-level activity, or unauthorized configuration changes.

• Verify the integrity of SD-WAN edge device configurations and policies.

• Rotate privileged SD-WAN credentials and investigate potential credential exposure.

• Monitor Cisco security advisories and apply updates immediately once a fix becomes available.

• Engage incident response procedures if signs of compromise are identified, as patching alone may not remediate an already compromised environment.

What FortiGuard Coverage is available?

• FortiGuard Antivirus & Behavior Detection: Detects and blocks malicious payloads and abnormal process execution that may result from successful exploitation.

• FortiGuard Incident Response Service: Assists organizations in investigating potential compromise, identifying attacker activity, and supporting remediation efforts.

• FortiGuard Managed Detection and Response (MDR): Provides continuous monitoring and detection of post-exploitation activity, privilege escalation attempts, and unauthorized configuration changes within affected environments.

Blog

ThreatsDay Bulletin: Wi-Fi Hack, npm Worm, DeFi Theft, Phishing Blasts— and 15 More Stories

Think your Wi-Fi is safe? Your coding tools? Or even your favorite financial apps? This week proves again how hackers, companies, and governments are all locked in a nonstop race to outsmart each other. Here’s a quick rundown of the latest cyber stories that show how fast the game keeps changing. DeFi exploit drains funds…

Read More ThreatsDay Bulletin: Wi-Fi Hack, npm Worm, DeFi Theft, Phishing Blasts— and 15 More Stories
Blog

Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction

A novel attack technique named EchoLeak has been characterized as a “zero-click” artificial intelligence (AI) vulnerability that allows bad actors to exfiltrate sensitive data from Microsoft 365 Copilot’s context sans any user interaction. The critical-rated vulnerability has been assigned the CVE identifier CVE-2025-32711 (CVSS score: 9.3). It requires no customer action and has been already

Read More Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction
Blog

Police Disrupt ‘Cryptomixer,’ Seize Millions in Crypto

Multiple European law enforcement agencies recently disrupted Cryptomixer, a service allegedly used by cybercriminals to launder ill-gotten gains from ransomware and other cyber activities.

Read More Police Disrupt ‘Cryptomixer,’ Seize Millions in Crypto
Blog

Not all Endpoint protection is created equal

When people ask us, “Aren’t all endpoint solutions the same these days?” — our answer is simple: No. They’re not.

Read More Not all Endpoint protection is created equal
Blog

Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security

In this latest installment of the Reporters’ Notebook video series, we discuss how cyber insurance is forcing organizations to quantify risk, what’s covered (and what’s not), and why this could be the best thing to happen to cybersecurity.

Read More Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security
Blog

With Complex Cloud Integrations, Small Errors Lead to Major Compromises

Researchers discover an exploit chain combining over-permissioned roles, secrets discovery, and non-human identities that could have compromised a popular automation service.

Read More With Complex Cloud Integrations, Small Errors Lead to Major Compromises

Related