What Happened
Cisco disclosed CVE-2026-20245 on June 5, 2026 — a seventh zero-day in Cisco Catalyst SD-WAN Manager exploited in the wild this year. The flaw exists due to insufficient validation of user-supplied input in the CLI, and it allows an authenticated attacker with netadmin privileges to upload a crafted file and execute arbitrary commands as the root user on the underlying system. Mandiant discovered and reported the exploitation to Cisco.
The vulnerability affects all Cisco SD-WAN deployment models: on-premises, Cloud-Pro, Cisco-managed Cloud, and the FedRAMP Government variant. Cisco confirmed a limited number of exploitation cases, in which attackers pushed unauthorized configuration changes to edge devices — a direct threat to network integrity. No patch exists and no workaround is available. Cisco is advising customers to upgrade to the version that addressed the earlier CVE-2026-20182 authentication bypass as a partial mitigation, but CVE-2026-20245 itself remains open.
This disclosure continues a pattern that has made 2026 exceptional for Cisco SD-WAN risk: this is the seventh CVE in the SD-WAN Manager product exploited this year, following prior disclosures in January, February, March, April, and two in May, including CVE-2026-20182 (CVSS 10.0) and CVE-2026-20127.
Why This Matters for Canadian Organizations
Cisco SD-WAN is widely deployed across Canadian enterprise, government, financial services, and telecommunications networks. Any organization running Cisco Catalyst SD-WAN Manager in any of its supported deployment modes is affected. The attack chain is particularly serious because it begins with previously disclosed flaws for which patches already exist — meaning any organization that has not patched CVE-2026-20182 is at direct risk of a full root-level compromise chain. Attackers who gain root access to SD-WAN Manager can push configuration changes to every edge device managed by the platform, potentially redirecting traffic, disabling security controls, or establishing persistent access.
For Canadian organizations subject to PIPEDA, a breach resulting from exploitation of a known unpatched vulnerability carries significant notification risk. Organizations in financial services under OSFI B-13 and those designated as critical infrastructure operators under Bill C-26 have an obligation to demonstrate that vendor-disclosed vulnerabilities are tracked and mitigated under defined timelines.
What to Do
Immediately audit whether your Cisco SD-WAN Manager deployment has applied the fix for CVE-2026-20182 — this is Cisco’s current mitigation guidance for limiting exposure. Restrict netadmin access to Cisco SD-WAN Manager to only those accounts and systems that require it, and enforce multi-factor authentication on all administrative sessions. Review SD-WAN Manager access and configuration change logs for any unauthorized activity since May 14, 2026. Track Cisco’s security advisory page for CVE-2026-20245 for patch availability and apply immediately when released. Report any confirmed exploitation to your incident response team and evaluate PIPEDA breach notification obligations if unauthorized configuration changes have occurred.
Source: BleepingComputer | SecurityWeek
