Cisco Catalyst SD-WAN CVE-2026-20245 Zero-Day Exploited with No Patch Available as UAT-8616 Targets Critical Infrastructure

Cisco has disclosed CVE-2026-20245, a high-severity zero-day vulnerability (CVSS 7.8) in the Cisco Catalyst SD-WAN Manager command-line interface that enables authenticated attackers with netadmin privileges to achieve root-level code execution through command injection. As of June 10, 2026, no patch is available for this vulnerability, making it the seventh actively exploited SD-WAN flaw disclosed this year and intensifying concerns about the security architecture of enterprise SD-WAN management planes.

The vulnerability stems from insufficient input validation in the SD-WAN Manager CLI, allowing an attacker to upload a crafted file that executes arbitrary commands as the root user. While exploitation requires netadmin privileges, security researchers at the Cloud Security Alliance have demonstrated that this prerequisite is not a significant barrier: prior unauthenticated authentication bypass vulnerabilities CVE-2026-20127 and CVE-2026-20182 can be chained to obtain the necessary credentials, creating a complete exploitation path from unauthenticated network access to full root control of the SD-WAN management plane.

The scope of CVE-2026-20245 is particularly broad, affecting all deployment models including on-premises installations, Cisco SD-WAN Cloud-Pro, Cisco-managed cloud environments, and FedRAMP-authorized government deployments. This cross-deployment impact means that organizations cannot mitigate risk simply by choosing a specific hosting model—all Cisco Catalyst SD-WAN Manager deployments require immediate defensive action regardless of their infrastructure architecture.

Cisco Talos has attributed the primary exploitation campaign to UAT-8616, a sophisticated threat actor active in Cisco SD-WAN environments since at least 2023. This group is characterized by multi-year dwell times, surgical targeting of critical infrastructure sectors including telecommunications and utilities, and extensive log sanitization techniques designed to evade forensic detection. Following the public release of proof-of-concept code for earlier SD-WAN vulnerabilities, at least ten additional threat clusters have been observed engaging in opportunistic exploitation, expanding the threat landscape beyond the sophisticated UAT-8616 campaigns to include less sophisticated but more numerous opportunistic attackers.

In the absence of a patch, Cisco has advised customers to apply previously released fixes for CVE-2026-20182 (issued May 14, 2026) as a primary defensive measure. Security teams should immediately run the `request admin-tech` command to capture diagnostic data before any software updates, as this information may be overwritten during patching. Log review should focus on `/var/log/scripts.log` for suspicious entries involving `vconfd_script_upload_tenant_list.sh` or other script uploads referencing files in `/home/admin/`. Network hardening measures include isolating the Manager's management interface (VPN 512) into a dedicated internal VLAN, restricting CLI and web access to authorized jump hosts, and auditing all SSH keys in the `vmanage-admin` account to remove unauthorized persistent access.

The broader pattern of seven actively exploited SD-WAN vulnerabilities in 2026 alone has prompted organizations to conduct architectural reassessments of their Zero Trust models and the security of automated network orchestration tools. The SD-WAN management plane—which provides centralized control over distributed network infrastructure—represents a high-value target because compromising it can provide attackers with visibility into and control over an organization's entire wide-area network topology. Security architects are increasingly recommending that SD-WAN management interfaces be treated as critical infrastructure requiring the same level of protection as core identity systems and financial platforms.