Root Cause: Command Injection via Improper Output Escaping (CWE-116)

CVE-2026-20245, disclosed on June 4, 2026, is a high-severity zero-day in the command-line interface of Cisco Catalyst SD-WAN Manager (formerly vManage). The flaw carries a CVSS score of 7.8 and is classified as CWE-116 (Improper Encoding or Escaping of Output). The underlying cause is insufficient validation of user-supplied file input subsequently consumed by privileged shell helpers. An authenticated local attacker uploads a crafted file to trigger command injection and elevate privileges to root. All deployment types are affected: On-Prem, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).

Chained Authentication Bypass Enables Fleet-Wide Impact

Exploitation requires netadmin privileges, obtainable via valid credentials or by chaining the earlier authentication-bypass flaws CVE-2026-20182 and CVE-2026-20127 — making this a privilege-escalation node in a broader SD-WAN intrusion chain rather than a standalone initial-access vector. Cisco has observed limited cases where exploitation pushed unauthorized configuration changes to edge devices. Because Cisco Catalyst SD-WAN Manager is the orchestration plane for the managed edge fleet, root access on Manager translates directly into fleet-wide impact: traffic redirection, backdoor configurations, persistence, and lateral movement across enterprise and government networks.

Patch Released — Precursor Fix Alone Is Insufficient

Cisco has released a dedicated fix in Catalyst SD-WAN release 20.18.3.1; releases 20.18.2.1 and earlier are affected. Customers should upgrade to 20.18.3.1 and verify edge device configurations. Importantly, upgrading only to the May 14, 2026 releases for CVE-2026-20182 addresses the precursor authentication-bypass but does not fix CVE-2026-20245 itself. Cisco confirmed in-the-wild exploitation in June 2026, suggesting that disclosure was accelerated by active threat actor activity.

Threat Actor Attribution: UAT-8616

Cisco's advisory contains no official attribution, but exploitation of the two precursor CVEs has been publicly clustered under UAT-8616 with high confidence — a sophisticated actor active since at least 2023. Attribution of CVE-2026-20245 to UAT-8616 is plausible and operationally compelling, given it serves as a drop-in replacement for the cluster's prior root-escalation step (CVE-2022-20775), reflecting strategic continuity in targeting Cisco SD-WAN management infrastructure.

Sustained Year-Long Targeting Pattern Against Cisco SD-WAN

CVE-2026-20245 is the seventh Cisco Catalyst SD-WAN vulnerability flagged as actively exploited in 2026, following CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, and CVE-2022-20775. This reflects a sustained, year-long targeting pattern against Cisco SD-WAN management infrastructure. Internet-exposed Manager instances are at heightened risk and should be prioritized for immediate log review. Note: CVE-2022-20775 originated in 2022 but was actively exploited again in 2026.

Preserve Forensic Evidence Before Any Upgrade

Issue the request admin-tech command from each control component (Manager, Controller, Validator) in the SD-WAN deployment and collect the resulting admin-tech bundle before initiating any software upgrade. Cisco specifically warns that if a system is confirmed compromised, applying the software update alone will not resolve the vulnerability — the Cisco TAC will need the admin-tech file to provide tailored remediation steps. Retain all relevant logs (scripts.log, auth.log, control-connection state changes) prior to upgrade so that post-upgrade verification can confirm whether indicators of compromise are present.

Upgrade to the Fixed Release for CVE-2026-20245

Cisco has released 20.18.3.1 as the first fixed release for CVE-2026-20245; all Catalyst SD-WAN Manager versions 20.18.2.1 and earlier are affected and must be upgraded. Important: upgrading only to the May 14, 2026 releases for CVE-2026-20182 addresses the precursor authentication-bypass that satisfies the netadmin precondition, but does not fix CVE-2026-20245 itself. Customers should plan a two-stage or direct upgrade to 20.18.3.1.

Verify Edge Device Configurations Post-Upgrade

Because Cisco has observed exploitation resulting in unauthorized configuration pushes to edge devices, every edge device that may have received configuration from a potentially compromised Manager must be inspected for unauthorized changes. This includes routing policy, security policy, certificates, and any recently modified configuration objects. Treat any unverified configuration object received during the suspected exposure window as untrusted until reconciled against change-management records.

Restrict Management Plane Exposure

Per Cisco's hardening guidance for the February 2026 advisory, restrict inbound access to ports 22 and 830 on Catalyst SD-WAN Control Components to known controller and authorized management IP ranges using access control lists, security group rules, or firewall rules. Place control components behind a filtering device — ideally a two-layer firewall — and disable any non-required services including HTTP and FTP. Disable HTTP for the Catalyst SD-WAN Manager web UI administrator portal and obtain a CA-signed certificate for SSL/TLS.

Enforce Continuous Vulnerability Management for the SD-WAN Stack

Maintain a current inventory of all Catalyst SD-WAN Control Component versions, subscribe to Cisco Security Notifications, and integrate Catalyst SD-WAN release tracking into the patch-management cadence. Cisco has issued multiple SD-WAN advisories in 2026 (including CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) with several flagged in CISA's Known Exploited Vulnerabilities catalogue. Treat the SD-WAN management plane as a high-priority asset class with elevated monitoring and accelerated patch SLAs.