HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-20245Published Modified CNA cisco

CVE-2026-20245: Cisco Catalyst SD-WAN Controller Authenticated Privilege Escalation Vulnerability

A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user. To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices. Cisco recommends that customers upgrade to the fixed software that is documented in the that was published on May 14, 2026, and verify the configuration of the edge devices.

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a command injection vulnerability in the Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) CLI. An attacker with local access and netadmin-level credentials can upload a crafted file to inject arbitrary commands, which the system executes as root. Successful exploitation gives the attacker full root-level control of the affected host, and Cisco has observed limited cases where exploitation resulted in configuration changes being pushed to managed edge devices. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Cisco publishes a fixed version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle affected versions of Cisco Catalyst SD-WAN Manager. Affected images in both registries and active CI pipelines are flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 7.8 (HIGH) and weights it against each customer organization's compliance policy to determine routing priority. Triage tickets are routed to the appropriate team inbox within each customer org based on policy configuration.

Available
Patch

No fix version has been published by Cisco at this time. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released, with auto-remediation customers receiving a rebuild, regression run, and PR against affected workloads where compliance policy permits.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no over-the-network vector is required to deliver the payload.

  • AuthenticationRequired

    The attacker must hold a valid netadmin-level account on the affected system before exploitation is possible.

  • Victim interactionNot required

    No user interaction is needed once the attacker has access; the crafted file upload and command injection proceed without involving another user.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental prerequisites beyond the attacker having a valid account.

Blast Radius

  • Attacker gains a root shell on the Cisco Catalyst SD-WAN Manager host, giving unrestricted read access to all stored credentials, certificates, and configuration data on the system.
  • Attacker can modify or overwrite any file on the host, including SD-WAN Manager configuration databases and authentication stores.
  • Attacker can push arbitrary configuration changes to managed edge devices across the SD-WAN fabric, as Cisco has observed in limited real-world cases.
  • Attacker can crash or disable the SD-WAN Manager service, severing centralized management and visibility for the entire SD-WAN deployment.

How HarborGuard Handles This

Available on HarborGuard: because Cisco has not yet published a fixed version, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment upstream ships a fix. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will follow automatically where compliance policy permits. In the interim, HarborGuard recommends applying compensating controls to any image running an affected version: restrict CLI access to the SD-WAN Manager to the minimum set of required accounts, enforce network-policy isolation so that the management interface is reachable only from trusted jump hosts, and audit netadmin account membership for unauthorized additions. Edge device configurations should be verified against known-good baselines, as Cisco has noted observed cases of configuration drift resulting from exploitation of this bug.

See how HarborGuard automates this
Affected packages
  • Cisco / Cisco Catalyst SD-WAN Manager
    20.1.12 · 19.2.1 · 18.4.4 · 18.4.5 · 20.1.1.1 · 20.1.1
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References