Cisco SD-WAN Zero-Day CVE-2026-20245: No Patch, Root Access Active

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Mandiant confirmed this week that attackers are actively exploiting CVE-2026-20245 in Cisco Catalyst SD-WAN Manager to escalate privileges to root on every deployment type, and Cisco has no patch available.
The Cisco SD-WAN zero-day CVE-2026-20245 is a command injection flaw in the Catalyst SD-WAN Manager CLI with a CVSS score of 7.8. Insufficient validation of user-supplied input allows an attacker holding netadmin privileges to upload a crafted file and execute arbitrary commands as root. Cisco's Product Security Incident Response Team confirmed exploitation in June 2026 after Google Cloud's cybersecurity subsidiary Mandiant discovered and reported the vulnerability.
No patch exists. Cisco disclosed CVE-2026-20245 on June 5, 2026, with its advisory stating the fix will appear in a future software release and no timeline committed. Threat actor UAT-8616, a highly sophisticated group that Cisco Talos has tracked since 2023, is exploiting this zero-day as the final stage in a three-vulnerability attack chain targeting critical national infrastructure operators. Post-compromise activity documented by Talos includes SSH key injection, NETCONF configuration manipulation to control edge routing, malicious account creation, and complete log deletion to eliminate forensic evidence.
All four Cisco Catalyst SD-WAN deployment types are confirmed affected: on-premises, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and FedRAMP for government. Over 10 threat groups are now targeting Cisco SD-WAN infrastructure. With no patch and confirmed root-level exploitation, every SD-WAN Manager instance reachable from untrusted networks must be treated as a priority exposure today.
How Does Cisco SD-WAN Zero-Day CVE-2026-20245 Command Injection Work?
CVE-2026-20245 is a command injection vulnerability in the Cisco Catalyst SD-WAN Manager CLI that allows a netadmin-privileged attacker to execute arbitrary operating system commands as root. The root cause is insufficient validation of user-supplied input in the CLI processing layer, where crafted input escapes the intended command boundary and injects additional commands that execute with root privileges on the underlying OS.
The attack mechanism requires uploading a specially crafted file through the SD-WAN Manager CLI. The crafted file exploits the input validation gap in how the CLI processes file content, allowing injected OS commands to pass through to the operating system as root. A successful exploit gives the attacker unrestricted root-level code execution on the SD-WAN Manager appliance, the central control plane managing the entire SD-WAN network fabric including all edge devices, routing policies, and traffic inspection rules.
The prerequisite is netadmin credentials. An attacker starting from zero cannot directly exploit CVE-2026-20245 without first obtaining netadmin access. In the UAT-8616 campaign, attackers chain CVE-2026-20182 authentication bypass into CVE-2026-20245, eliminating any credential requirement from an external network position.
The primary detection signal is the /var/log/scripts.log file on SD-WAN Manager appliances. Cisco confirmed that exploitation attempts leave entries in this log showing tenant configuration data being uploaded to vSmart controllers, the specific anomaly pattern CVE-2026-20245 exploitation produces before post-compromise log clearing. Monitoring this log for unexpected upload activity is the earliest available detection while no patch exists.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Who Is UAT-8616? The Threat Actor Behind Active SD-WAN Exploitation
UAT-8616 is a highly sophisticated threat actor tracked by Cisco Talos since 2023, assessed with high confidence to be state-sponsored based on technical capabilities, infrastructure tradecraft, and consistent targeting of critical national infrastructure. The actor demonstrates operational knowledge of Cisco SD-WAN internals that required either dedicated product research or insider-level access to develop, consistent with a nation-state offensive program.
The defining characteristic of UAT-8616 is persistent targeting of network edge devices at critical national infrastructure operators, telecommunications providers, energy companies, government networks, and defense-adjacent organizations. Network edge devices are the highest-value persistence targets in enterprise environments: they carry all network traffic, survive most endpoint-level incident response actions, and provide strategic positioning for long-term surveillance or pre-positioning for disruption.
Cisco Talos observed UAT-8616 infrastructure overlapping with Operational Relay Box (ORB) networks, distributed proxy infrastructure used by sophisticated actors to route attack traffic through non-attributable addresses and obscure attribution chains. ORB network use indicates a well-resourced actor with mature operational security discipline, making attribution difficult and blocking source IPs ineffective.
Post-compromise TTPs documented by Talos confirm the sophistication level. After achieving root on SD-WAN Manager, UAT-8616 performs SSH key injection into the vmanage-admin authorized_keys file, NETCONF configuration manipulation to redirect or intercept edge device traffic, malicious admin account creation for durable re-entry, and systematic clearing of all authentication and session logs. The log-clearing step is operationally significant: the actor understands precisely which forensic artifacts its access generates and executes a cleanup routine to remove them, indicating prior experience operating undetected in similar environments.
“UAT-8616 demonstrated an ongoing trend of targeting network edge devices in order to establish beachheads at high-value organisations, such as operators of critical national infrastructure.”
Cisco Talos Intelligence, Active Exploitation of Cisco Catalyst SD-WAN by UAT-8616
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The Three-Vulnerability Attack Chain: CVE-2026-20127 Through Root
The full UAT-8616 attack chain uses three Cisco SD-WAN vulnerabilities in sequence, with each step providing the access level required for the next. Understanding the chain is necessary to assess whether CVE-2026-20245 alone is an immediate direct risk or a second-stage escalation risk in a given environment.
CVE-2026-20127, Initial Access (Since 2023)
CVE-2026-20127 is a Cisco Catalyst SD-WAN Controller vulnerability leveraged by UAT-8616 as a zero-day since 2023. This provided initial unauthenticated access to SD-WAN environments. Cisco later patched CVE-2026-20127, but organizations that did not apply the patch may have persistent UAT-8616 footholds established years ago that are now being leveraged for the CVE-2026-20245 escalation.
CVE-2026-20182, Authentication Bypass (May 2026)
CVE-2026-20182 is a Cisco Catalyst SD-WAN Controller authentication bypass exploited by UAT-8616 as a zero-day in May 2026. This bypass grants netadmin access to SD-WAN Manager without valid credentials, precisely the privilege level required to exploit CVE-2026-20245. Attackers who targeted fresh environments used CVE-2026-20182 to skip the need for stolen credentials entirely.
CVE-2026-20245, Root Privilege Escalation (June 2026)
CVE-2026-20245 is the escalation step. Once the attacker holds netadmin access from CVE-2026-20182 or other means, CVE-2026-20245 escalates that access to root on SD-WAN Manager, enabling unrestricted control plane access across the entire SD-WAN fabric. Organizations already exposed via the prior two vulnerabilities are at immediate risk of root-level compromise right now.
Scope: Every Cisco SD-WAN Deployment Type Is Affected
Cisco's June 5 advisory confirms that CVE-2026-20245 affects all Cisco Catalyst SD-WAN Manager deployment models with no version boundary excluding any current release:
On-Premises: Organizations hosting SD-WAN Manager on internal infrastructure. Cisco SD-WAN Cloud-Pro: Cisco-managed cloud deployment. Cisco SD-WAN Cloud (Cisco Managed): Shared cloud infrastructure provisioned by Cisco. Cisco SD-WAN for Government (FedRAMP): Federal and government deployments with FedRAMP authorization.
The affected software spans the full Cisco Catalyst SD-WAN Manager release track. Cisco has not identified a version that does not contain the flaw, all current releases are vulnerable.
Over 10 distinct threat groups are now documented targeting Cisco Catalyst SD-WAN vulnerabilities as of mid-2026. The initial UAT-8616 activity beginning in 2023 attracted broader adversary attention as the attack surface became publicly known and exploitation tooling proliferated. The convergence of network edge access, centralized control plane exposure, and high-value targeting profile makes this product a competitive exploitation target in 2026.
The scale of exposure across deployment types is broader than typical enterprise vulnerability scenarios. Cloud-managed deployments where the customer does not have direct OS-level access to the SD-WAN Manager appliance face a detection gap: the log indicators Cisco provided require access to the appliance filesystem, which cloud customers may need to request through Cisco support channels. Organizations in cloud-managed deployment models should contact Cisco support immediately to request a forensic review of their instance logs.
IOCs and Detection: Indicators to Hunt Right Now
Detection for CVE-2026-20245 exploitation relies on behavioral and configuration indicators rather than file hashes or network signatures. No public sample-based IOCs have been released. UAT-8616's post-compromise log-clearing routine makes detection time-sensitive, the window between exploitation and evidence elimination is narrow.
Primary detection: /var/log/scripts.log. Cisco's advisory specifically identifies this log as the primary exploitation indicator. Search for entries showing tenant configuration data uploads to vSmart controllers that originate from unexpected IP addresses or occur outside scheduled maintenance windows. If the log file appears abnormally short for the appliance's operational age, or timestamps show a gap coinciding with any period since May 2026, log clearing has likely already occurred.
Persistence detection: authorized_keys and sshd_config. Audit /home/vmanage-admin/.ssh/authorized_keys for any SSH public key not provisioned by your team. Cross-reference each key fingerprint against your SSH key management records. Review /etc/ssh/sshd_config for PermitRootLogin set to yes, this is not the default configuration and is a direct post-exploitation indicator.
Authentication log review. Search SSH authentication logs for "Accepted publickey for vmanage-admin" entries from IP addresses not in your approved management access list. UAT-8616 routes through ORB networks, so source IPs may appear from hosting providers, cloud ranges, or unexpected geographies rather than recognizable threat actor infrastructure.
NETCONF session audit. Review NETCONF session logs for configuration changes originating from unrecognized management addresses since May 2026. Pay particular attention to modifications to edge device BGP configurations, traffic inspection policies, and routing tables, these are the categories UAT-8616 manipulates after gaining root access to redirect or intercept network traffic.
For organizations with SD-WAN deployments without direct appliance access, the CISA patch deadlines June 2026 advisory provides context on escalating unpatched network edge exposure to vendor support as a priority incident rather than routine maintenance request.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Remediation: Steps to Close This Gap Before End of Day
With no patch available, remediation for the Cisco SD-WAN zero-day CVE-2026-20245 focuses on access restriction, compromise detection, and blocking the prerequisite vulnerability chain. These steps address the immediate exposure while awaiting Cisco's security update.
The most impactful single action is network-level isolation of SD-WAN Manager management interfaces. If SD-WAN Manager's administrative interface is reachable from untrusted networks, including corporate networks without explicit segmentation from internet-adjacent zones, access must be restricted immediately. SD-WAN Manager management traffic should only reach the appliance from dedicated management network segments with strict source IP controls.
Apply the CVE-2026-20182 patch if it has not already been deployed. While CVE-2026-20182 is a separate vulnerability, it is the primary access path UAT-8616 uses to obtain the netadmin privileges required to exploit CVE-2026-20245. Closing CVE-2026-20182 eliminates the escalation path for external attackers who do not already have valid netadmin credentials.
Restrict SD-WAN Manager access to trusted management networks only
Create ACL or firewall rules limiting TCP access to SD-WAN Manager management interfaces to dedicated administrative subnets. SD-WAN Manager should not be reachable from general corporate networks, guest networks, or any network segment with untrusted devices. If SD-WAN Manager is accessible from the internet, remove that access immediately.
Audit /home/vmanage-admin/.ssh/authorized_keys for unrecognized keys
Log into each SD-WAN Manager appliance and inspect the authorized_keys file for the vmanage-admin account. Compare each key fingerprint against your SSH key management records. Any unrecognized key is an active persistence mechanism, remove it immediately and rotate all legitimate keys as the account may be compromised.
Search /var/log/scripts.log for tenant configuration upload anomalies
Review scripts.log for entries indicating tenant configuration data was uploaded to vSmart controllers from unexpected sources or at unexpected times. If log content appears truncated or shows timestamp gaps since May 2026, assume exploitation has occurred and escalate to incident response. Contact Cisco TAC to request forensic log analysis if you lack direct appliance access.
Check /etc/ssh/sshd_config for unauthorized PermitRootLogin changes
Run: grep PermitRootLogin /etc/ssh/sshd_config on each SD-WAN Manager appliance. If the value is 'yes' and your team did not make this change, the appliance has been modified post-exploitation. Revert to 'no' and treat the appliance as compromised pending full forensic review.
Review SSH authentication logs for unexpected vmanage-admin logins
Search SSH auth logs for 'Accepted publickey for vmanage-admin' entries. Compare all source IPs against your approved management access list. Any unrecognized source IP warrants immediate investigation. UAT-8616 routes through ORB networks so IPs may appear as hosting providers or unexpected geographies.
Apply the CVE-2026-20182 patch to block the access chain
If CVE-2026-20182 is not yet patched, deploy it now. This authentication bypass is the primary mechanism UAT-8616 uses to obtain the netadmin credentials required for CVE-2026-20245 exploitation. Closing this prerequisite eliminates the escalation path for external attackers without valid credentials.
Disable NETCONF access from non-management IP ranges
Restrict NETCONF (TCP 830) to approved management source addresses only. Review NETCONF session logs for sessions since May 1, 2026, originating outside approved ranges. Any unauthorized NETCONF session that modified routing or traffic policies should be treated as an active compromise indicator requiring full incident response.
Why Cisco SD-WAN Zero-Day CVE-2026-20245 Matters for Network Security Teams
The Cisco SD-WAN zero-day CVE-2026-20245 represents a category of risk that security teams consistently underestimate: no-patch exploitation of network control plane infrastructure with no endpoint security coverage. EDR, SIEM, and endpoint detection tooling provides no coverage for SD-WAN Manager compromise because the appliance sits outside the endpoint management and security stack. An attacker with root access to SD-WAN Manager controls the routing logic, traffic inspection policies, and edge device configurations for every location connected to the SD-WAN fabric, without generating a single endpoint alert.
The accumulation of confirmed exploited SD-WAN vulnerabilities in 2026 is not incidental. Six confirmed exploited CVEs in a single product class in under six months reflects sustained, focused attacker investment. Attack tooling for Cisco SD-WAN is mature, distributed across 10 or more threat groups, and applied against a broad target population. Organizations that have not maintained aggressive patching against the prior five vulnerabilities should not wait for the CVE-2026-20245 patch before assessing whether their environment is already compromised.
The no-patch gap creates a specific operational window this weekend. Incident response capacity drops on weekends and threat actors know it. UAT-8616 has operated undetected in compromised SD-WAN environments for extended periods. The combination of confirmed exploitation, no patch, and approaching weekend creates the scenario that gap-closing is designed to address: take the defensive actions now, while you have full team capacity, rather than discovering an intrusion Monday morning when evidence has been cleared and attacker persistence is already established.
The three actions that provide the most detection coverage before end of business today are: audit the authorized_keys file, search scripts.log for the upload anomaly pattern Cisco identified, and restrict SD-WAN Manager management access to segmented subnets. None of these require waiting for a patch.
The bottom line
Cisco SD-WAN zero-day CVE-2026-20245 is actively exploited with no patch available as of June 5, 2026. UAT-8616, a Talos-tracked state-sponsored threat actor, is chaining three Cisco SD-WAN vulnerabilities to achieve root access on SD-WAN Manager across all deployment types. Three key facts: no Cisco patch exists today; attackers clear logs post-compromise making detection time-sensitive; and over 10 threat groups are now weaponizing this attack chain. The single concrete action for today: restrict SD-WAN Manager management access to trusted subnets, audit /home/vmanage-admin/.ssh/authorized_keys for unrecognized keys, and search /var/log/scripts.log for tenant configuration upload anomalies before end of business.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2026-20245 in Cisco SD-WAN?
CVE-2026-20245 is a command injection vulnerability in the Cisco Catalyst SD-WAN Manager CLI with a CVSS score of 7.8. Insufficient validation of user-supplied input allows an attacker with netadmin privileges to upload a crafted file and execute arbitrary commands as the root user on the SD-WAN Manager appliance. Cisco disclosed the vulnerability on June 5, 2026, and confirmed active exploitation. No patch is available as of the disclosure date.
Is there a patch available for CVE-2026-20245?
No. Cisco disclosed CVE-2026-20245 on June 5, 2026, and its security advisory states that the vulnerability will be addressed in a future software release with no specific timeline committed. Organizations cannot remediate this vulnerability by patching as of the disclosure date. The only available defensive actions are architectural: restricting SD-WAN Manager management access to trusted networks, monitoring log files for exploitation indicators, auditing for persistence mechanisms, and applying the CVE-2026-20182 patch to block the primary access chain attackers use to reach CVE-2026-20245.
Who is UAT-8616 and what are they targeting?
UAT-8616 is a highly sophisticated threat actor tracked by Cisco Talos since 2023, assessed with high confidence to be state-sponsored. The group specializes in targeting network edge devices at critical national infrastructure operators including telecommunications providers, energy companies, and government networks. UAT-8616 uses Operational Relay Box networks to obscure attack origin, exploits Cisco SD-WAN zero-days before public disclosure, and performs post-compromise log clearing to eliminate forensic evidence. Talos documented UAT-8616 activity back to 2023 targeting prior Cisco SD-WAN vulnerabilities before CVE-2026-20245 was disclosed.
How does the Cisco SD-WAN three-vulnerability attack chain work?
UAT-8616 chains three Cisco SD-WAN vulnerabilities in sequence. Step one uses CVE-2026-20127, a Catalyst SD-WAN Controller vulnerability leveraged since 2023 for initial access. Step two uses CVE-2026-20182, an authentication bypass exploited in May 2026 that grants netadmin access to SD-WAN Manager without credentials. Step three uses CVE-2026-20245, the new zero-day that escalates netadmin access to root. Organizations that patched CVE-2026-20182 have blocked the most common external path to CVE-2026-20245, but organizations compromised via CVE-2026-20127 in 2023 or earlier may already have persistent attacker access that can directly exploit CVE-2026-20245.
How do I detect exploitation of CVE-2026-20245 on my SD-WAN Manager?
Check four locations. First, review /var/log/scripts.log for entries showing tenant configuration data uploads to vSmart controllers from unexpected sources. Second, audit /home/vmanage-admin/.ssh/authorized_keys for unrecognized SSH public keys, UAT-8616 injects keys for persistent access. Third, check /etc/ssh/sshd_config for PermitRootLogin set to yes, which is not the default configuration. Fourth, search SSH authentication logs for 'Accepted publickey for vmanage-admin' from IP addresses not in your management access list. If scripts.log is abnormally short or shows timestamp gaps since May 2026, log clearing has likely already occurred and full incident response is warranted.
What should I do immediately if I cannot wait for a patch?
Three actions provide the most protection before a patch is available. First, restrict network access to SD-WAN Manager management interfaces to dedicated management subnets only, remove any internet or untrusted network access immediately. Second, apply the CVE-2026-20182 patch if not already deployed, which closes the authentication bypass attackers use to obtain the netadmin privileges CVE-2026-20245 requires. Third, audit authorized_keys and scripts.log for the specific indicators Cisco identified to determine whether exploitation has already occurred in your environment. Contact Cisco TAC if your deployment model does not provide direct appliance filesystem access.
Which Cisco SD-WAN versions are affected by CVE-2026-20245?
Cisco's June 5 advisory does not specify a version boundary below which the vulnerability does not exist. All current Cisco Catalyst SD-WAN Manager software releases are considered affected. All four deployment types are confirmed vulnerable: on-premises, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). Cisco plans to address the vulnerability in a future software release. Organizations should monitor Cisco's security advisory at the official Cisco Security Advisory portal for patch availability.
How does CVE-2026-20245 relate to CVE-2026-20182?
CVE-2026-20182 is the authentication bypass that provides the netadmin access level required to exploit CVE-2026-20245. An unauthenticated external attacker cannot directly exploit CVE-2026-20245 without first obtaining netadmin credentials or a netadmin session on the SD-WAN Manager. CVE-2026-20182 eliminates that credential requirement by allowing an attacker to authenticate to SD-WAN Manager without valid credentials, providing a direct path from external attacker to the CVE-2026-20245 root escalation. Patching CVE-2026-20182 blocks the most common external exploitation path for CVE-2026-20245 even though CVE-2026-20245 itself has no patch.
Sources & references
- BleepingComputer, Cisco warns of unpatched SD-WAN zero-day exploited in attacks
- Help Net Security, Cisco SD-WAN 0-day exploited, no patch available (CVE-2026-20245)
- Cisco Talos, Active exploitation of Cisco Catalyst SD-WAN by UAT-8616
- Cisco Talos, Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
- Cisco Security Advisory, Cisco Catalyst SD-WAN Manager Vulnerabilities
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
