INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
ATTENTION: This report is based on previous data. New intelligence sources have been linked and the Executive Summary and Mitigations need to be re-synthesized.
Cisco SD-WAN Zero-Day Exploited in Attacks
| 2026-06-16 10:53 CRITICAL HIGHExecutive Summary AI-generated
The vulnerability, CVE-2026-20182 or CVE-2026-20127 , has been identified in Cisco SD-WANs and firewalls as a pair of zero-days that could allow attackers to gain access to the system. This is not the first time this vulnerability has been disclosed, with seven other vulnerabilities affecting similar products also being added to known exploited vulnerabilities catalogs by the Cybersecurity and Infrastructure Security Agency (CISA) in 2026. The latest disclosure from Cisco warns customers of a privilege escalation flaw that can lead to root-level problems without an available patch or workaround.
Technical Mitigations AI-generated
* Implement input validation and sanitization: Ensure that user-supplied data is validated, sanitized, and properly filtered to prevent malicious inputs from being executed on the system.
* Use secure file upload mechanisms: Implement secure file upload mechanisms, such as HTTPS or SFTP, to prevent attackers from uploading crafted files that can be used for command injection attacks.
* Regularly update software and firmware: Keep Cisco SD-WAN management software and firmware up-to-date with the latest security patches and updates to ensure that known vulnerabilities are addressed before they can be exploited by attackers.
* Implement access controls and authentication mechanisms: Ensure that only authorized users have netadmin privileges on affected systems, and implement additional access control measures such as multi-factor authentication or role-based access control (RBAC) to limit the damage in case of a successful exploit.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-20245CVE-2026-20245
CVE-2026-20128CVE-2026-20128
CVE-2026-20127CVE-2026-20127
CVE-2026-20133CVE-2026-20133
CVE-2026-20182CVE-2026-20182
CVE-2022-20775CVE-2022-20775
CVE-2026-20262CVE-2026-20262
CVE-2026-20122CVE-2026-20122
Target & Sectors
Global Scope
governmentgovernment
Incident Timeline
2026/05/06
Threat actors exploited a previously unknown vulnerability in Cisco's Catalyst SD-WAN Controllers to gain administrative privileges on unpatched devices.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20182
Security patches not yet available
Last month, Cisco also
tagged a maximum severity Catalyst SD-WAN Controller authentication bypass flaw
(CVE-2026-20182) as actively exploited as a zero-day to gain administrative privileges on unpatched devices.
organisation
Catalyst SD-WAN Controller
Security patches not yet available
Last month, Cisco also
tagged a maximum severity Catalyst SD-WAN Controller authentication bypass flaw
(CVE-2026-20182) as actively exploited as a zero-day to gain administrative privileges on unpatched devices.
May 14
Threat actors exploited a zero-day vulnerability in Cisco's SD-WAN software, targeting systems with the CVE-2026-20182 patch.
Click on any entity below to view its context and source!
organisation
CVE-2026-20245
While Cisco has not yet released patches for CVE-2026-20245, it advised customers to upgrade to the software fixed for CVE-2026-20182 on May 14.
vulnerability
CVE-2026-20182
While Cisco has not yet released patches for CVE-2026-20245, it advised customers to upgrade to the software fixed for CVE-2026-20182 on May 14.
2026/06/09
Cisco SD-WAN Manager is vulnerable to exploitation of a pair of zero-days, CVE-2026-20182 and CVE-2026-20127.
Click on any entity below to view its context and source!
organisation
VulnCheck
The company said it is “not aware of successful exploitation by other means,” adding that it “observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.”
Landon Rice, senior exploit developer at VulnCheck, said the need for existing privileges “makes an attacker heavily reliant on previous vulnerabilities, or a net-new initial access vector, in order to be able to reach the privilege escalation path.”
organisation
CVE-2026-20245
Cisco warns of a privilege escalation flaw, tracked as CVE-2026-20245 (CVSS base score of 7.8), in Cisco Catalyst SD-WAN Manager, the platform formerly known as SD-WAN vManage.
organisation
SD-WAN vManage
Cisco warns of a privilege escalation flaw, tracked as CVE-2026-20245 (CVSS base score of 7.8), in Cisco Catalyst SD-WAN Manager, the platform formerly known as SD-WAN vManage.
"
Formerly known as SD-WAN vManage, this network management software helps admins monitor and manage up to 6,000 Catalyst SD-WAN devices from a single dashboard.
organisation
the Cisco Catalyst SD-WAN
On Thursday, Cisco warned of a high-severity, unpatched zero-day in the Cisco Catalyst SD-WAN Manager (tracked as
CVE-2026-20245
) actively exploited in attacks enabling root privilege escalation.
The validation error defect affecting the Cisco Catalyst SD-WAN Manager allows authenticated or local attackers to execute commands as root, resulting in command-injection attacks on an affected system, the company said.
organisation
Cisco SD-WANs
The Cybersecurity and Infrastructure Security Agency has added seven vulnerabilities affecting
Cisco SD-WANs and firewalls
to its known exploited vulnerabilities catalog this year, not including CVE-2026-20245, which has yet to be added to the catalog.
organisation
SD-WAN
Cisco SD-WAN Has a New Root-Level Problem, and There’s No Fix Yet
Cisco warns of CVE-2026-20245 in SD-WAN Manager, a flaw that can lead to root access via file upload command injection; no patch or workaround yet.
Cisco customers encounter another SD-WAN zero-day under attack.
Cisco warns of unpatched SD-WAN zero-day exploited in attacks.
organisation
Product Security Incident Response Team
Cisco's Product Security Incident Response Team (PSIRT) became aware of CVE-2026-20245 exploitation in June after Google Cloud cybersecurity subsidiary Mandiant reported the flaw but did not share any details.
organisation
Google
Cisco's Product Security Incident Response Team (PSIRT) became aware of CVE-2026-20245 exploitation in June after Google Cloud cybersecurity subsidiary Mandiant reported the flaw but did not share any details.
organisation
Cisco
Cisco said exploitation of a pair of zero-days it disclosed earlier this year —
CVE-2026-20182
or
CVE-2026-20127
— could allow attackers the access required to exploit the new vulnerability.
In a Thursday advisory, Cisco said the issue stems from insufficient validation of user-supplied input, and it can allow local attackers with low privileges to execute arbitrary commands as root.
organisation
CVE-2022
Below are the flaws added to the catalog:
CVE-2022-20775
Cisco Catalyst SD-WAN Path Traversal Vulnerability
CVE-2026-20127
Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, Cisco SD-WAN)
organisation
Catalyst
Below are the flaws added to the catalog:
CVE-2022-20775
Cisco Catalyst SD-WAN Path Traversal Vulnerability
CVE-2026-20127
Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, Cisco SD-WAN)
organisation
SecurityAffairs
Below are the flaws added to the catalog:
CVE-2022-20775
Cisco Catalyst SD-WAN Path Traversal Vulnerability
CVE-2026-20127
Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, Cisco SD-WAN)
organisation
Mandiant
The company disclosed the vulnerability, which was first spotted by Mandiant, on Thursday and warned that a security patch is not yet available and there are no workarounds to mitigate the defect in the meantime.
organisation
Cisco Technical Assistance Centers
The company encouraged customers that need help distinguishing between legitimate and malicious activity to contact Cisco Technical Assistance Centers.
organisation
Catalyst SD-WAN
"
Formerly known as SD-WAN vManage, this network management software helps admins monitor and manage up to 6,000 Catalyst SD-WAN devices from a single dashboard.
infrastructure
6,000 Catalyst WAN devices
"
Formerly known as SD-WAN vManage, this network management software helps admins monitor and manage up to 6,000 Catalyst SD-WAN devices from a single dashboard.
organisation
vSmart
However, it shared indicators of compromise (IOCs) warning admins to check their SD-WAN /var/log/scripts.log file for attempts to upload tenant configuration data to vSmart controllers to escalate privileges through legitimate commands, as in the following example:
organisation
Cisco Catalyst SD-WAN
Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0
"For help determining if a Cisco Catalyst SD-WAN Manager has been compromised, customers may open a case with the Cisco TAC," the company added, advising admins first to generate an admin-tech file to help with the review.
The vulnerability affects Cisco Catalyst SD-WAN Manager across all deployment models, including on-premises installations, Cisco SD-WAN Cloud-Pro, Cisco-managed cloud deployments, and FedRAMP environments.
organisation
the Cisco TAC
Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0
"For help determining if a Cisco Catalyst SD-WAN Manager has been compromised, customers may open a case with the Cisco TAC," the company added, advising admins first to generate an admin-tech file to help with the review.
organisation
Cisco SD-WAN
Cisco SD-WAN Has a New Root-Level Problem, and There’s No Fix Yet.
organisation
Cisco SD-WAN Cloud-Pro
The vulnerability affects Cisco Catalyst SD-WAN Manager across all deployment models, including on-premises installations, Cisco SD-WAN Cloud-Pro, Cisco-managed cloud deployments, and FedRAMP environments.
organisation
the Cisco Technical Assistance Center
“In such cases, follow the specific remediation steps that will be provided by the Cisco Technical Assistance Center (TAC) to help secure the system.”
organisation
TAC
“In such cases, follow the specific remediation steps that will be provided by the Cisco Technical Assistance Center (TAC) to help secure the system.”
organisation
EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Tactical Metrics
Metrics
infrastructure
20.9.9
Software Version
Click for context!
Patches have been released to address the issue -
Cisco Catalyst SD-WAN Release 20.9.9.1 and earlier - Fixed in 20.9.9.2
Cisco Catalyst SD-WAN Release 20.12.7.1 and earlier - Fixed in 20.12.7.2
Cisco Catalyst SD-WAN Release 20.15.4.4 and earlier - Fixed in 20.15.4.5
Cisco Catalyst SD-WAN Release 20.15.5.2 and earlier - Fixed in 20.15.5.3
Cisco Catalyst SD-WAN Release 20.18.3 - Fixed in 20.18.3.1
Cisco Catalyst SD-WAN Release 26.1.1.1 and earlier - Fixed in 26.1.1.2
Cisco said it "became aware of limited exploitation of this vulnerability" in June 2026, adding it was discovered during internal security testing.
Cisco Catalyst SD-WAN Release
First Fixed Release
20.9.9.1 and earlier
20.9.9.2
20.12.7.1 and earlier
20.12.7.2
20.15.4.4 and earlier
20.15.4.5
20.15.5.2 and earlier
20.15.5.3
20.18.3
20.18.3.1
26.1.1.1 and earlier
26.1.1.2
Metrics
infrastructure
20.12.7
Software Version
Patches have been released to address the issue -
Cisco Catalyst SD-WAN Release 20.9.9.1 and earlier - Fixed in 20.9.9.2
Cisco Catalyst SD-WAN Release 20.12.7.1 and earlier - Fixed in 20.12.7.2
Cisco Catalyst SD-WAN Release 20.15.4.4 and earlier - Fixed in 20.15.4.5
Cisco Catalyst SD-WAN Release 20.15.5.2 and earlier - Fixed in 20.15.5.3
Cisco Catalyst SD-WAN Release 20.18.3 - Fixed in 20.18.3.1
Cisco Catalyst SD-WAN Release 26.1.1.1 and earlier - Fixed in 26.1.1.2
Cisco said it "became aware of limited exploitation of this vulnerability" in June 2026, adding it was discovered during internal security testing.
Cisco Catalyst SD-WAN Release
First Fixed Release
20.9.9.1 and earlier
20.9.9.2
20.12.7.1 and earlier
20.12.7.2
20.15.4.4 and earlier
20.15.4.5
20.15.5.2 and earlier
20.15.5.3
20.18.3
20.18.3.1
26.1.1.1 and earlier
26.1.1.2
Metrics
infrastructure
20.15.4
Software Version
Patches have been released to address the issue -
Cisco Catalyst SD-WAN Release 20.9.9.1 and earlier - Fixed in 20.9.9.2
Cisco Catalyst SD-WAN Release 20.12.7.1 and earlier - Fixed in 20.12.7.2
Cisco Catalyst SD-WAN Release 20.15.4.4 and earlier - Fixed in 20.15.4.5
Cisco Catalyst SD-WAN Release 20.15.5.2 and earlier - Fixed in 20.15.5.3
Cisco Catalyst SD-WAN Release 20.18.3 - Fixed in 20.18.3.1
Cisco Catalyst SD-WAN Release 26.1.1.1 and earlier - Fixed in 26.1.1.2
Cisco said it "became aware of limited exploitation of this vulnerability" in June 2026, adding it was discovered during internal security testing.
Cisco Catalyst SD-WAN Release
First Fixed Release
20.9.9.1 and earlier
20.9.9.2
20.12.7.1 and earlier
20.12.7.2
20.15.4.4 and earlier
20.15.4.5
20.15.5.2 and earlier
20.15.5.3
20.18.3
20.18.3.1
26.1.1.1 and earlier
26.1.1.2
Metrics
infrastructure
20.15.5
Software Version
Patches have been released to address the issue -
Cisco Catalyst SD-WAN Release 20.9.9.1 and earlier - Fixed in 20.9.9.2
Cisco Catalyst SD-WAN Release 20.12.7.1 and earlier - Fixed in 20.12.7.2
Cisco Catalyst SD-WAN Release 20.15.4.4 and earlier - Fixed in 20.15.4.5
Cisco Catalyst SD-WAN Release 20.15.5.2 and earlier - Fixed in 20.15.5.3
Cisco Catalyst SD-WAN Release 20.18.3 - Fixed in 20.18.3.1
Cisco Catalyst SD-WAN Release 26.1.1.1 and earlier - Fixed in 26.1.1.2
Cisco said it "became aware of limited exploitation of this vulnerability" in June 2026, adding it was discovered during internal security testing.
Cisco Catalyst SD-WAN Release
First Fixed Release
20.9.9.1 and earlier
20.9.9.2
20.12.7.1 and earlier
20.12.7.2
20.15.4.4 and earlier
20.15.4.5
20.15.5.2 and earlier
20.15.5.3
20.18.3
20.18.3.1
26.1.1.1 and earlier
26.1.1.2
Metrics
infrastructure
20.18.3
Software Version
Patches have been released to address the issue -
Cisco Catalyst SD-WAN Release 20.9.9.1 and earlier - Fixed in 20.9.9.2
Cisco Catalyst SD-WAN Release 20.12.7.1 and earlier - Fixed in 20.12.7.2
Cisco Catalyst SD-WAN Release 20.15.4.4 and earlier - Fixed in 20.15.4.5
Cisco Catalyst SD-WAN Release 20.15.5.2 and earlier - Fixed in 20.15.5.3
Cisco Catalyst SD-WAN Release 20.18.3 - Fixed in 20.18.3.1
Cisco Catalyst SD-WAN Release 26.1.1.1 and earlier - Fixed in 26.1.1.2
Cisco said it "became aware of limited exploitation of this vulnerability" in June 2026, adding it was discovered during internal security testing.
Cisco Catalyst SD-WAN Release
First Fixed Release
20.9.9.1 and earlier
20.9.9.2
20.12.7.1 and earlier
20.12.7.2
20.15.4.4 and earlier
20.15.4.5
20.15.5.2 and earlier
20.15.5.3
20.18.3
20.18.3.1
26.1.1.1 and earlier
26.1.1.2
Metrics
infrastructure
26.1.1
Software Version
Patches have been released to address the issue -
Cisco Catalyst SD-WAN Release 20.9.9.1 and earlier - Fixed in 20.9.9.2
Cisco Catalyst SD-WAN Release 20.12.7.1 and earlier - Fixed in 20.12.7.2
Cisco Catalyst SD-WAN Release 20.15.4.4 and earlier - Fixed in 20.15.4.5
Cisco Catalyst SD-WAN Release 20.15.5.2 and earlier - Fixed in 20.15.5.3
Cisco Catalyst SD-WAN Release 20.18.3 - Fixed in 20.18.3.1
Cisco Catalyst SD-WAN Release 26.1.1.1 and earlier - Fixed in 26.1.1.2
Cisco said it "became aware of limited exploitation of this vulnerability" in June 2026, adding it was discovered during internal security testing.
Cisco Catalyst SD-WAN Release
First Fixed Release
20.9.9.1 and earlier
20.9.9.2
20.12.7.1 and earlier
20.12.7.2
20.15.4.4 and earlier
20.15.4.5
20.15.5.2 and earlier
20.15.5.3
20.18.3
20.18.3.1
26.1.1.1 and earlier
26.1.1.2
Metrics
infrastructure
6,000
Wan Devices
Formerly known as SD-WAN vManage, this network management software allows admins to manage up to 6,000 SD-WAN devices from a single dashboard.
"
Formerly known as SD-WAN vManage, this network management software helps admins monitor and manage up to 6,000 Catalyst SD-WAN devices from a single dashboard.
Intelligence Sources
BleepingComputer
2026-06-05
Cisco warns of unpatched SD-WAN zero-day exploited in attacks
BleepingComputer
Security Affairs
2026-06-05
Cisco SD-WAN Has a New Root-Level Problem, and There’s No Fix Yet
Security Affairs
CyberScoop
2026-06-09
BleepingComputer
2026-06-15
Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks
BleepingComputer
The Hacker News
2026-06-16
Security Affairs
2026-06-16
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-17T05:45
Comprehensive Tactical Telemetry
Highly Correlated Entities
38x
organisation
Identified Entity
CVE-2026
entity
12x
timeline
Temporal Reference
June 29, 2026
date
11x
attribution
Attributing Entity
the U.S. Cybersecurity and Infrastructure Security Agency
authority
8x
vulnerability
Exploited CVE
CVE-2026-20262
cve
6x
infrastructure
Software Version
20.9.9
version
2x
tactic
Cyber Operation Type
Privilege Escalation
tactic
2x
general metric
Cisco Vulnerabilities
91
cisco vulnerabilities
2x
general metric
%
54
%
Contextual Telemetry
Context Block
8 METRICS
vulnerability
CVSS Score
6
score
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
industry
Targeted Sector
Government
sector
general metric
Jun
16
jun
infrastructure
Wan Devices
6,000
wan devices
general metric
Catalyst Cisco Catalyst Sd Wan Controller
20,775
catalyst cisco catalyst sd wan controller
general metric
Apr
15
apr
general metric
Vpn
0
vpn
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.