Skip to main content

Cisco Releases Security Updates for Catalyst SD‑WAN Products

CVE-2026-20245 could allow an authenticated, local attacker to execute arbitrary commands as root, and CVE-2026-20262 could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.

Threat ID:
CC-4797
Threat Severity:
Medium
Published:
10 June 2026 3:29 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2026-20245 could allow an authenticated, local attacker to execute arbitrary commands as root, and CVE-2026-20262 could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.

Threat details

Additional Detail on Affected Products

CVE-2026-20245 and CVE-2026-20262 affects the following Catalyst SD-WAN deployment types:

  • On-Premises Deployment
  • Cisco Hosted SD-WAN Cloud
  • Cisco Hosted SD-WAN Cloud - Cisco Managed
  • Cisco Hosted SD-WAN for Government - FedRAMP Environment

Introduction

Cisco has released a security update to address CVE-2026-20245, a high severity vulnerability in Catalyst SD-WAN Controller (formerly SD-WAN vSmart), Catalyst SD-WAN Manager (formerly SD-WAN vManage), and Catalyst SD-WAN Validator (formerly SD-WAN vBond). Cisco Catalyst SD-WAN is a software-defined wide area network solution that enables secure, scalable, and flexible connectivity across enterprise networks.

To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127, covered in High Severity Cyber Alerts CC-4784 and CC-4748, respectively.

  • CVE-2026-20245 is an "insufficient validation of user-supplied input" vulnerability with a CVSSv3 score of 7.8. Successful exploitation could allow an authenticated, local attacker to execute arbitrary commands as root.

Cisco has also released a security update to address CVE-2026-20262, another vulnerability present in Cisco Catalyst SD-WAN Manager.

  • CVE-2026-20262 is an "insufficient validation of user-supplied input" vulnerability with a CVSSv3 score of 6.5. Successful exploitation could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.

Exploitation of CVE-2026-20245 and CVE-2026-20262

Cisco has stated it is aware of exploitation of CVE-2026-20245 and CVE-2026-20262, and the US Cybersecurity and Infrastructure Security Agency (CISA) have added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog.

Edge devices like Cisco Catalyst SD-WAN are often internet-facing by design and are highly attractive targets to attackers, and there are an increasing number of edge device vulnerabilities disclosed each year that are rapidly exploited by attackers.

The NHS England National CSOC assesses it is highly likely vulnerabilities discovered in edge devices will continue to be exploited as zero-day vulnerabilities, or shortly after vendor disclosure.

Organisations are strongly encouraged to follow NCSC-UK's vulnerability management guidance, including patching edge devices as soon as possible if a critical vulnerability is identified.

Threat updates

Date Update
17 Jun 2026 The alert has been updated following the active exploitation of CVE-2026-20262, details of this vulnerability are now included within the alert. The following sections have been updated:
  • Summary
  • Threat Details
  • Introduction
  • Emphasis box
  • Remediation advice
  • Remediation steps
  • Definitive source of threat updates
  • CVE Vulnerabilities

Remediation advice

Affected organisations are encouraged to review the Cisco security advisories cisco-sa-sdwan-privesc-4uxFrdzx and cisco-sa-sdwan-arbfw-c2rZvQ, apply the relevant updates, and follow additional guidance from Cisco in the advisories.

Remediation steps

Type Step
Action

Perform a Comprehensive Compromise Assessment

Organisations are strongly encouraged to follow the steps listed in the "Indicators of Compromise" section of Cisco's Advisories cisco-sa-sdwan-privesc-4uxFrdzx and cisco-sa-sdwan-arbfw-c2rZvQ

Note: Organisations are strongly encouraged to complete this step first; or collect all relevant artifacts, including a snapshot of the device and all logs, to support threat hunting after patching. Patching before conducting the compromise assessment or collecting relevant artifacts may delete critical evidence.

If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected]. 


https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx
Patch

Update to a Fixed Version

Organisations are strongly encouraged to update Catalyst SD-WAN Controller, Catalyst SD-WAN Manager, and Catalyst Validator to a fixed version. 

Organisations are strongly encouraged to use the Cisco Software Checker tool to determine the latest available version for their deployment.


https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx
Guidance

Hardening Guidance for Cisco Catalyst SD-WAN

Organisations are encouraged to follow Cisco's hardening guidance for Catalyst SD-WAN.


https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide

CVE Vulnerabilities

Status Published

CVE-2026-20245

A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.  To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices. Cisco recommends that customers upgrade to the fixed software that is documented in the that was published on May 14, 2026, and verify the configuration of the edge devices.
Status Published

CVE-2026-20262

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does not properly validate user-supplied input during a file upload process. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root. To exploit this vulnerability, the attacker must have valid credentials with at least a lower-privileged, single-task user account.

Last edited: 17 June 2026 2:00 pm