Command Injection Vulnerability in Cisco Catalyst SD-WAN Products
CVE-2026-20245

7.8HIGH

Key Information:

Vendor

Cisco
Status
Cisco Catalyst Sd-wan Controller
Cisco Catalyst Sd-wan Manager
Vendor
CVE Published:
4 June 2026

Badges

🔥 Trending now📈 Trended📈 Score: 3,420💰 Ransomware👾 Exploit Exists🟡 Public PoC🦅 CISA Reported📰 News Worthy

What is CVE-2026-20245?

false

CISA has reported CVE-2026-20245

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-20245 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Cisco Catalyst SD-WAN Controller 20.6.4

Cisco Catalyst SD-WAN Controller 20.9.2

Cisco Catalyst SD-WAN Controller 20.3.6

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-20245
Created by 0xBlackash

CVE-2026-20245
Created by HORKimhab

CVE-2026-20245---Cisco-SD-WAN-Privilege-Escalation-Exploit
Created by fevar54

News Articles

favicon imageTechtimes

Cisco SD-WAN Root Access: Mandiant Exposes Eight-Month Stealth Attack Chain

Cisco SD-WAN zero-day exploit CVE-2026-20245 was active for eight months before disclosure, Mandiant reveals in a new post-mortem. Attackers uploaded a crafted CSV file to inject a root account via

2 days ago

favicon imageTechtimes

Cisco SD-WAN Zero-Day Exploit: Mandiant Reveals Malicious CSV Opened Root Shell

Cisco SD-WAN zero-day CVE-2026-20245 was exploited months before disclosure: Mandiant reveals how a malicious CSV file injected a rogue root account into Linux passwd files, giving attackers full

2 days ago

favicon imageThe Hacker News

Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access

Mandiant says CVE-2026-20245 was exploited as a Cisco SD-WAN zero-day to escalate admin access to root on a provider network.

2 days ago

References

https://sec.cloudapps.cisco.com/security/center/content/C...
https://sec.cloudapps.cisco.com/security/center/content/C...

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📈

    Vulnerability started trending

  • 🦅

    CISA Reported

  • 💰

    Used in Ransomware

  • 🟡

    Public PoC available

  • 📰

    First article discovered by Securityweek

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.