Skip to content
CVEvulnerabilityCritical Infrastructure

Cisco CVE-2026-20245: seventh unpatched SD-WAN zero-day confirmed under active exploitation

2 min read
Share

Cisco has acknowledged CVE-2026-20245, a critical command-injection vulnerability in Catalyst SD-WAN Manager, and confirmed that it remains unpatched. Mandiant researchers, who discovered and reported the flaw, have observed active exploitation in June 2026 by UAT-8616, a Chinese state-nexus threat actor. This is the seventh distinct zero-day affecting Cisco SD-WAN infrastructure in 2026.

How the vulnerability works

An authenticated attacker holding netadmin privileges can upload a crafted file to the Catalyst SD-WAN Manager administrative interface and execute arbitrary commands as root. Netadmin access is achievable by chaining this vulnerability with CVE-2026-20182, an authentication-bypass flaw Cisco disclosed earlier in June. Together, the two vulnerabilities allow a full root-level takeover of the SD-WAN management plane from a position of initial network access.

Exploitation context

Mandiant has published indicators of compromise associated with the UAT-8616 campaign. The actor has now exploited seven distinct Cisco SD-WAN vulnerabilities in 2026, with observed targeting of government agencies, telecommunications operators, and critical infrastructure providers across the Asia-Pacific region. The speed of exploitation following disclosure is consistent with the actor's established operational tempo: previous vulnerabilities in this campaign were weaponized within 48 hours of public disclosure.

What defenders should do now

No patch is available and Cisco has not issued a workaround. Defenders should restrict Catalyst SD-WAN Manager access to trusted management networks only, audit netadmin account assignments and remove unnecessary permissions, apply Mandiant's published IoCs to SIEM and network detection tooling, and contact Cisco TAC for affected software versions and patch timeline estimates. Organizations running Cisco SD-WAN infrastructure should assume continued exploitation pressure from UAT-8616 through the remainder of 2026.

Gigia Tsiklauri is a security architect and AI security practitioner. Follow more analysis at infosec.ge.

Related articles

vulnerabilityCVEendpoint-securityVulnerability ResearchFile Integrity

YellowKey and GreenPlasma: Unpatched Windows Zero-Days and What to Do Now

Two unpatched Windows zero-days, YellowKey (a BitLocker bypass) and GreenPlasma (a SYSTEM privilege escalation), have had public proof-of-concept code since May 13. Microsoft has released mitigation guidance. Here is what to do while waiting for the June 9 patch.

vulnerabilityCVEendpoint-securityVulnerability Research

Android’s June 2026 Zero‑Day (CVE-2025-48595): What Defenders Need to Do Today

CVE-2025-48595 is an actively exploited elevation-of-privilege zero-day in the Android Framework affecting Android 14–16. Enterprises should prioritize immediate deployment of the June 2026 Android security update via MDM, bypassing normal maintenance windows.

vulnerabilityCVEendpoint-securityVulnerability Research

CVE-2026-8206: Critical Kirki Freeform Page Builder Vulnerability Puts 500,000+ WordPress Sites at Risk

CVE-2026-8206 is an actively exploited vulnerability in the Kirki Freeform Page Builder plugin that allows attackers to hijack WordPress administrator accounts via an unauthenticated password reset REST endpoint. Site owners should immediately update to version 6.0.7 or disable the plugin.