Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root User
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Cisco has disclosed a high-severity vulnerability in its Catalyst SD-WAN Manager<\/a> that is actively being exploited in the wild, allowing attackers to execute arbitrary commands with root privileges.<\/p>\n The issue, tracked as CVE-2026-20245, carries a CVSS score of 7.8 and stems from improper input validation in the system\u2019s command-line interface.<\/p>\n According to Cisco\u2019s advisory, the flaw stems from insufficient sanitization of user-supplied input during the processing of uploaded files.<\/p>\n An authenticated attacker can exploit this weakness by uploading a specially crafted file, which triggers command injection and enables privilege escalation to the root user<\/a>.<\/p>\n Once root access is obtained, attackers can fully compromise the SD-WAN management plane, manipulate configurations, and potentially impact connected edge devices. The attack requires netadmin-level privileges, meaning the threat is not directly exploitable by unauthenticated actors.<\/p>\n However, Cisco warns that attackers may chain this vulnerability with other known flaws, such as CVE-2026-20182<\/a> or CVE-2026-20127<\/a>, to gain the necessary access.<\/p>\n This significantly increases the risk in real-world environments where credential compromise or chained exploitation is feasible. Cisco\u2019s Product Security Incident Response Team (PSIRT) confirmed that the vulnerability has already been exploited in limited attacks.<\/p>\n In observed cases, threat actors used the flaw to push unauthorized configuration changes to SD-WAN edge devices. This suggests post-exploitation activity aimed at persistence, lateral movement, or traffic manipulation within enterprise networks.<\/p>\n The vulnerability affects all Cisco Catalyst SD-WAN Manager deployments, including on-premises, Cisco SD-WAN Cloud<\/a>, Cloud-Pro, and government (FedRAMP) deployments.<\/p>\n Systems exposed to the internet are considered at higher risk, especially if management interfaces are accessible externally. At the time of disclosure, Cisco had not released a software patch to address the issue, and no workarounds were available.<\/p>\n The company has advised customers to upgrade to a previously released fixed software version referenced in its May 2026 advisory. However, a dedicated fix for this specific vulnerability is still pending.<\/p>\n Cisco has provided guidance to help organizations detect potential compromise. Administrators are urged to review the scripts.log file located in \/var\/log\/ for suspicious entries.<\/p>\n One example is the execution of commands such as \u201c\/usr\/bin\/vconfd_script_upload_tenant_list.sh\u201d with unexpected file paths, such as malicious CSV uploads<\/a>.<\/p>\n However, Cisco notes that these log entries may also appear during legitimate operations, making careful analysis essential to avoid false positives.<\/p>\n To support incident response efforts, organizations are strongly advised to collect forensic data using the \u201crequest admin-tech\u201d command before applying any upgrades.<\/p>\n This ensures preservation of critical evidence that may help determine the extent of compromise. Cisco also recommends <\/a>reviewing device configurations and logs after upgrading, as patching alone may not remediate systems that have already been breached.<\/p>\n If indicators of compromise are identified, customers should engage Cisco TAC for guided remediation steps. Simply upgrading affected systems without addressing persistence mechanisms or unauthorized changes may leave networks exposed.<\/p>\n This vulnerability was reported by Mandiant, highlighting ongoing collaboration between vendors and threat intelligence teams in identifying active threats.<\/p>\n Given the active exploitation and lack of immediate fixes, organizations using Cisco SD-WAN should prioritize access control, monitoring, and log analysis to reduce risk while awaiting a permanent patch.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post Cisco SD-WAN Vulnerability Exploited in the Wild to Execute Arbitrary Commands as Root User<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nCisco SD-WAN Vulnerability Exploit<\/strong><\/h2>\n