External risk intelligence

Cisco Catalyst SD-WAN Manager Local Privilege Escalation Vulnerability.

CVE advisoryKnown Exploit

CVE-2026-20245

A vulnerability in Cisco Catalyst SD-WAN Manager's CLI could allow an authenticated, local attacker to run commands as root by providing a malicious file. This could lead to command injection and privilege escalation on the affected system. The issue is due to insufficient input validation and requires netadmin privile

1Halo Surface Signal

Command Injection

Cisco Catalyst Sd Wan Manager

before 20.9.9.120.10 to before 20.12.5.420.12.6 to before 20.12.6.220.13 to before 20.15.4.420.15.5 to before 20.15.5.220.16 to before 20.18.2.226.1 to before 26.1.1.120.12.7

External exposure likelihood

Halo Surface Signal score for CVE-2026-20245

The vulnerability requires an authenticated, local attacker with netadmin privileges to execute commands. It is restricted to the command-line interface and requires the ability to upload a crafted file to the system, which is not a public-internet-facing or remotely exploitable network vector.

PCI scan relevance

PCI Relevance for CVE-2026-20245

Yes

CVE-2026-20245 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This command injection vulnerability in Cisco Catalyst SD-WAN Manager allows an authenticated attacker to execute arbitrary commands as root, which can lead to a full system compromise.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in Cisco Catalyst SD-WAN Manager that could allow an authenticated, local user with administrative privileges to execute arbitrary commands as root. This issue stems from insufficient validation of user-supplied input, potentially leading to command injection and privilege escalation. While an attacker needs initial access and specific privileges, observed exploitation has resulted in configuration changes to edge devices.

Local users with admin rights can run commands as root.
It allows deeper control over network configurations.
Confirm if the affected system is relevant to operations.

Attack Path

How an attacker could exploit the issue

An attacker with administrative privileges on a Cisco Catalyst SD-WAN Manager can upload a specially crafted file to the system. This file exploits a weakness in how the system handles user input, allowing the attacker to inject and run their own commands with root-level access, potentially leading to unauthorized changes on edge devices.

Requires netadmin privileges to initiate.
Triggered by uploading a crafted file.
Enables command injection and privilege escalation.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an authenticated local attacker with netadmin privileges to execute arbitrary commands as the root user by uploading a crafted file to the system. This could result in configuration changes being pushed to edge devices.

System command execution and configuration.
Uploading a crafted file to the system.
Unauthorized configuration changes pushed to edge devices.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects Cisco Catalyst SD-WAN Manager and requires local administrative access for exploitation. Action should be coordinated between the platform or infrastructure team responsible for the SD-WAN Manager and the security team. The first practical step involves identifying all instances of the affected system, confirming their business criticality and network exposure, and then planning remediation based on risk, potentially coordinating with Cisco for software updates.

Platform/Infrastructure teams own remediation.
Verify system criticality and network exposure.
Coordinate software upgrades with Cisco.

Frequently asked questions

What is Cisco Catalyst SD-WAN Manager?

Formerly known as vManage, this software acts as the centralized control plane for Cisco's software-defined wide area networking solutions. It provides the management interface that network administrators use to monitor, configure, and automate the policies that govern how traffic flows across a corporate network of edge devices.

How does CVE-2026-20245 lead to privilege escalation?

This vulnerability is classified as CWE-116, which involves improper encoding or escaping of input. Because the system fails to sufficiently validate files uploaded through the command-line interface, an attacker can inject and execute unauthorized system commands. This effectively tricks the software into granting the attacker root-level privileges, bypassing standard permission controls.

Do I need to worry if I am not an administrator?

The bug cannot be triggered by a standard user or an unauthenticated person on the network. A successful attack requires the user to already possess 'netadmin' privileges on the system. It is not triggered by typical network traffic or normal system operations, as it specifically requires the manual upload of a maliciously crafted file.

Is this vulnerability a risk for my internet-facing systems?

According to Halo Surface Signal, this is considered an internal risk. Because the exploit requires local authenticated access and specific administrative rights to the command-line interface, it is not remotely exploitable via the public internet. The danger is concentrated on users who already have authorized, privileged access to the management system.

What should I do if my team runs this software?

First, conduct an inventory to identify all active instances of Cisco Catalyst SD-WAN Manager. Once mapped, coordinate with your infrastructure team to review vendor guidance on software updates. Additionally, perform an audit of edge device configurations to ensure no unauthorized changes have occurred, as this flaw could be used to push malicious settings to the network.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.