INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Cisco Catalyst SD-WAN Manager Exploit Code Found
| 2026-06-06 04:19 CRITICAL HIGHExecutive Summary AI-generated
The situation with Cisco's SD-WAN software has become increasingly critical, with multiple vulnerabilities being exploited in the wild. The most recent and severe of these is CVE-2026-20245, which affects On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). This vulnerability has been linked to authentication bypasses that could enable unauthorized access to administrative privileges on susceptible systems. The threat activity cluster dubbed UAT-8616 is also associated with the abuse of CVE-2026-20127, another case of authentication bypass impacting the same component. As a result, customers are advised to upgrade their SD-WAN software and apply fixes for CVE-2026-20182 by May 14, 2026.
Technical Mitigations AI-generated
* Implement secure file uploads: Ensure that all file uploads to the SD-WAN system, including those from users and administrators, follow a secure protocol such as HTTPS or SFTP. This can be achieved by validating user-supplied input before storing it on the server.
* Use Content Security Policy (CSP): Implement CSP to restrict which sources of content are allowed in web pages that your SD-WAN system will serve. This can help prevent attackers from injecting malicious scripts into the system.
* Regularly update and patch software: Ensure that all SD-WAN components, including Catalyst SD-WAN Manager, Unified Communications Manager, and other affected systems, receive regular security patches to fix known vulnerabilities like CVE-2026-20245.
* Implement network segmentation: Segment your network to isolate sensitive data and systems from the rest of the network. This can help prevent attackers from exploiting a vulnerability in one system by compromising another.
* Monitor for suspicious activity: Continuously monitor logs and other indicators of compromise (IoCs) for signs of exploitation or unauthorized access to SD-WAN systems.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-20230CVE-2026-20230
CVE-2026-20133CVE-2026-20133
CVE-2026-20127CVE-2026-20127
CVE-2026-20128CVE-2026-20128
CVE-2026-20045CVE-2026-20045
CVE-2025-20309CVE-2025-20309
CVE-2026-20182CVE-2026-20182
CVE-2022-20775CVE-2022-20775
CVE-2026-20245CVE-2026-20245
CVE-2024-20253CVE-2024-20253
CVE-2026-20122CVE-2026-20122
Target & Sectors
Global Scope
governmentgovernment
Incident Timeline
2026/05/07
Threat actors used a previously unknown vulnerability (CVE-2026-20182) in Cisco Catalyst SD-WAN Manager to target systems.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20182
"
CVE-2026-20182 (CVSS score: 10.0) was disclosed last month by Rapid7, describing it as an authentication bypass that could enable unauthenticated, remote attackers to obtain administrative privileges on susceptible systems.
May 14, 2026
Threat actors used a vulnerability in Cisco Catalyst SD-WAN Manager to exploit CVE-2026-20182, actively exploiting it.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20182
Customers are recommended to upgrade their SD-WAN software to ensure they have applied the fixes released for CVE-2026-20182 on May 14, 2026.
organisation
SD-WAN
Customers are recommended to upgrade their SD-WAN software to ensure they have applied the fixes released for CVE-2026-20182 on May 14, 2026.
organisation
Cisco SD-WAN
ZTP upload chassis numbers: /usr/bin/vconfd_script_upload_chassis_number_file.sh -cli path /home/admin/chassis_numbers_safe.csv
CVE-2026-20245 is the seventh flaw impacting Cisco SD-WAN to be flagged as active exploited this year alone after CVE-2026-20182, CVE-2026-20127,
CVE-2026-20122, CVE-2026-20128, CVE-2026-20133
, and
CVE-2022-20775
.
organisation
CVE-2022
ZTP upload chassis numbers: /usr/bin/vconfd_script_upload_chassis_number_file.sh -cli path /home/admin/chassis_numbers_safe.csv
CVE-2026-20245 is the seventh flaw impacting Cisco SD-WAN to be flagged as active exploited this year alone after CVE-2026-20182, CVE-2026-20127,
CVE-2026-20122, CVE-2026-20128, CVE-2026-20133
, and
CVE-2022-20775
.
data_breach
5 vsmart_serial_numbers_safe.csv Jun
vSmart upload serial numbers: /usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh -cli path /home/admin/vsmart_serial_numbers_safe.csv
Jun 5 13:08:47 Validator vScript:
organisation
Unified Communications
The disclosure comes days after Cisco addressed another high-severity security flaw in Unified Communications Manager (
CVE-2026-20230
, CVSS score: 8.6), for which it said a proof-of-concept exploit code is public.
Jun 04, 2026
Threat actors exploited CVE-2026-20245 in Cisco Catalyst SD-WAN Manager to gain unauthorized access.
Jun 06, 2026
Threat actors exploited CVE-2026-20245 in the Cisco Catalyst SD-WAN Manager, using it to target On-Prem Deployment and Cisco SD-WAN Cloud-Pro.
Click on any entity below to view its context and source!
organisation
CVSS
The vulnerability, tracked as
CVE-2026-20245
, carries a CVSS score of 7.8 out of a maximum of 10.0.
organisation
CLI
"A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system," Cisco
said
in an advisory.
organisation
SD-WAN vManage
"A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system," Cisco
said
in an advisory.
organisation
Google Mandiant
It credited Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan with discovering and reporting the new vulnerability.
2026/06/06
Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available.
Click on any entity below to view its context and source!
organisation
Cisco Catalyst SD-WAN
Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available.
organisation
Flaw Actively Exploited
Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available.
organisation
CVSS
The CVSS base is 8.6: it scores the file write (an integrity-only impact, no confidentiality or availability loss) but not the root escalation that follows.
organisation
Cisco Patches CVE-2026-20230
Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public.
organisation
Unified CM
Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public.
Cisco has addressed a high-severity vulnerability, tracked as CVE-2026-20230, affecting Unified CM and Unified CM SME.
Over the past several years, the company also
removed a Unified CM backdoor account
that allowed remote attackers to log in to unpatched devices with root privileges, and patched another flaw (CVE-2024-20253) that enabled threat actors
to gain root access
to vulnerable systems.
organisation
Exploit Code Goes Public
Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public.
organisation
Product Security Incident Response Team
"
Cisco's Product Security Incident Response Team (PSIRT) is aware of publicly available proof-of-concept exploit code for CVE-2026-20230, but has yet to find evidence of active exploitation or targeting.
organisation
COP
"
While there are no workarounds to mitigate this vulnerability, and it's highly recommended to install Cisco Unified CM versions 14SU6 or 15SU5 (Sep 2026 or COP), administrators can also disable the WebDialer service until a patch is applied to block any incoming CVE-2026-20230 attacks.
Below are the fixed releases:
Cisco Unified CM and Unified CM SME Release
First Fixed Release
14
14SU6
15
15SU5 (Sep 2026) or COP
1
The company confirms that PoC exploit code for the vulnerability is publicly available.
organisation
CVE-2026
"
While there are no workarounds to mitigate this vulnerability, and it's highly recommended to install Cisco Unified CM versions 14SU6 or 15SU5 (Sep 2026 or COP), administrators can also disable the WebDialer service until a patch is applied to block any incoming CVE-2026-20230 attacks.
organisation
Unified Communications
Swati Khandelwal
Jun 04, 2026
Vulnerability / Network Security
Cisco has patched a bug in Unified Communications Manager that lets an unauthenticated attacker on the network write files to the box and, from there, climb to root.
Cisco has released security updates to patch a critical-severity Unified Communications Manager (Unified CM) flaw that allows attackers to gain root privileges.
organisation
Vulnerability / Network Security
Swati Khandelwal
Jun 04, 2026
Vulnerability / Network Security
Cisco has patched a bug in Unified Communications Manager that lets an unauthenticated attacker on the network write files to the box and, from there, climb to root.
Ravie Lakshmanan
Jun 06, 2026
Vulnerability / Network Security
Cisco has warned that a high-severity security flaw impacting Catalyst SD-WAN Manager has come under active exploitation.
organisation
Catalyst SD-WAN
Ravie Lakshmanan
Jun 06, 2026
Vulnerability / Network Security
Cisco has warned that a high-severity security flaw impacting Catalyst SD-WAN Manager has come under active exploitation.
organisation
SSH
Last July, Cisco pulled a
hard-coded root SSH account
left in from development (CVE-2025-20309, CVSS 10).
organisation
PoC
The PoC shortens that runway.
Cisco warns of critical Unified CM flaw with PoC exploit code.
organisation
Session Management Edition
Unified CM and its Session Management Edition fail to validate certain HTTP requests properly, so a crafted request can push the server into writing arbitrary files onto the underlying OS.
organisation
Cisco
Cisco says they can be used later to escalate to root, the top privilege on the system.
organisation
Critical
Cisco rated the advisory Critical anyway, since the end state is full root.
organisation
WebDialer
There is one mitigating factor: the flaw only works when the WebDialer service is running, and WebDialer ships off by default.
However, the risk depends on configuration: the vulnerability can only be exploited if the WebDialer service is enabled, which is disabled by default on affected systems.
Luckily, the vulnerability only impacts systems where the WebDialer service is enabled, and WebDialer is disabled by default.
organisation
Cisco Unified CM Administration
To check, open Cisco Unified CM Administration and switch to Cisco Unified Serviceability.
organisation
Cisco Unified Serviceability
To check, open Cisco Unified CM Administration and switch to Cisco Unified Serviceability.
organisation
Tools > Control Center - Feature Services
Under Tools > Control Center - Feature Services, look at the Cisco WebDialer Web Service status in the CTI Services section.
organisation
the Cisco WebDialer
Under Tools > Control Center - Feature Services, look at the Cisco WebDialer Web Service status in the CTI Services section.
organisation
CTI
Under Tools > Control Center - Feature Services, look at the Cisco WebDialer Web Service status in the CTI Services section.
Administrators can do this through the Unified CM Administration interface by going to Unified Serviceability, opening Service Activation under Tools, and unchecking the WebDialer Web Service option in the CTI Services section before saving the changes.
organisation
the Unified CM Administration
Administrators can do this through the Unified CM Administration interface by going to Unified Serviceability, opening Service Activation under Tools, and unchecking the WebDialer Web Service option in the CTI Services section before saving the changes.
organisation
Cisco Unified CM
Below are the fixed releases:
Cisco Unified CM and Unified CM SME Release
First Fixed Release
14
14SU6
15
15SU5 (Sep 2026) or COP
1
The company confirms that PoC exploit code for the vulnerability is publicly available.
Cisco Unified CM (formerly known as Cisco CallManager) serves as the central control system for Cisco IP telephony systems, handling device management, call routing, and telephony features.
victims
1 company
Below are the fixed releases:
Cisco Unified CM and Unified CM SME Release
First Fixed Release
14
14SU6
15
15SU5 (Sep 2026) or COP
1
The company confirms that PoC exploit code for the vulnerability is publicly available.
organisation
SSD Secure Disclosure
An independent researcher working with SSD Secure Disclosure reported the bug.
organisation
Critical Cisco Unified
Critical Cisco Unified CM Bug Patched as Public Exploit Code Emerges.
organisation
Cisco CallManager
Cisco Unified CM (formerly known as Cisco CallManager) serves as the central control system for Cisco IP telephony systems, handling device management, call routing, and telephony features.
organisation
PSIRT
However, the PSIRT is not aware of attacks in the wild exploiting this issue.
organisation
SecurityAffairs
Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.”
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking,
Cisco
)
organisation
SIR
"Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates.
organisation
the Cisco Unified CM Administration
To disable WebDialer, go through the following steps:
Log in to the Cisco Unified CM Administration interface.
organisation
EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
September 2026
Threat actors exploited the Cisco Catalyst SD-WAN Manager CVE-2026-20245 flaw in a 15SU5 Service Update.
Click on any entity below to view its context and source!
organisation
COP
For 15, the full Service Update (15SU5) is not due until September 2026, so until then, you are on the interim COP patch, or you turn WebDialer off (uncheck it under Tools > Service Activation and save).
organisation
Tools > Service Activation
For 15, the full Service Update (15SU5) is not due until September 2026, so until then, you are on the interim COP patch, or you turn WebDialer off (uncheck it under Tools > Service Activation and save).
Tactical Metrics
Metrics
data_breach
5
Vsmart_Serial_Numbers_Safe.Csv Jun
Click for context!
vSmart upload serial numbers: /usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh -cli path /home/admin/vsmart_serial_numbers_safe.csv
Jun 5 13:08:47 Validator vScript:
Metrics
victims
1
Company
Below are the fixed releases:
Cisco Unified CM and Unified CM SME Release
First Fixed Release
14
14SU6
15
15SU5 (Sep 2026) or COP
1
The company confirms that PoC exploit code for the vulnerability is publicly available.
Intelligence Sources
The Hacker News
2026-06-04
Security Affairs
2026-06-04
Critical Cisco Unified CM Bug Patched as Public Exploit Code Emerges
Security Affairs
BleepingComputer
2026-06-04
Cisco warns of critical Unified CM flaw with PoC exploit code
BleepingComputer
The Hacker News
2026-06-06
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-26T10:30
Comprehensive Tactical Telemetry
Highly Correlated Entities
40x
organisation
Identified Entity
Cisco Catalyst SD-WAN
entity
11x
vulnerability
Exploited CVE
CVE-2026-20245
cve
8x
timeline
Temporal Reference
Jun 06, 2026
date
2x
attribution
Attributing Entity
Cisco SD-WAN for Government
authority
2x
tactic
Cyber Operation Type
Ransomware
tactic
Contextual Telemetry
Context Block
16 METRICS
industry
Targeted Sector
Government
sector
vulnerability
CVSS Score
8
score
general metric
Apr
15
apr
general metric
Vpn
0
vpn
general metric
Jun
5
jun
data breach
Vsmart_Serial_Numbers_Safe.Csv Jun
5
vsmart_serial_numbers_safe.csv jun
general metric
Score
9
score
general metric
Jun
6
jun
general metric
Jun
4
jun
tactic
MITRE ATT&CK Technique
T1102 - Web Service
technique
general metric
Train
14
train
general metric
Cve-2026
20,230
cve-2026
general metric
Sep
2,026
sep
victims
Company
1
company
general metric
Cisco Vulnerabilities
91
cisco vulnerabilities
general metric
%
54
%
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.