CVE-2026-20245 · A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could

01 · The Real Story

This is a master-key flaw behind the staff door, not a broken lock on the street

Based on the supplied intel, CVE-2026-20245 is a Cisco Catalyst SD-WAN Manager CLI privilege-escalation issue: a low-privilege user with local CLI access can abuse flawed input handling and end up executing with root privileges on the manager appliance. That matters because SD-WAN Manager is a control-plane system with access to configs, credentials, certificates, and downstream device orchestration. I could not confirm a public Cisco advisory or CVE record for this exact ID in current public lookups, so affected version ranges and fixed releases remain unconfirmed from public sources.

Cisco's HIGH 7.8 score is technically consistent with the CVSS vector, but it overstates operational urgency for most enterprises. AV:L/PR:L on a management appliance means the attacker already has a foothold, valid credentials, and CLI reachability to one of the most restricted systems in the estate; that's classic post-initial-access territory. The blast radius is real if exploited, but the reachable population is narrow enough that this lands as MEDIUM for patch-priority purposes.

"Root on vManage is serious, but this is still a post-compromise CLI bug, not an initial-access fire drill."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get onto the manager CLI

The attacker first needs a valid account that can reach the SD-WAN Manager CLI, typically over ssh or through a bastion. In practice this means stolen operator credentials, insider access, or compromise of an admin workstation or jump host.

Conditions required:

Valid low-privilege account on Cisco Catalyst SD-WAN Manager
CLI access enabled and reachable
Network path to the management plane or jump host

Where this breaks in practice:

Most enterprises restrict manager CLI access to a small admin group
PAM, MFA, and bastion enforcement often sit in front of SSH
This prerequisite already implies prior compromise or trusted-user abuse

Detection/coverage: Good coverage if SSH and PAM logs are centralized; identity telemetry should show the login, but not necessarily malicious intent.

STEP 02

Trigger the vulnerable CLI code path

Using native tooling such as ssh and the built-in CLI, the attacker submits crafted input to the affected command path. If the user-supplied metadata is accurate, the bug is in how the CLI neutralizes or validates input before handing it to privileged logic.

Conditions required:

The target release is vulnerable
The specific command path is exposed to the attacker's role

Where this breaks in practice:

RBAC may hide or block the exact command surface from some low-priv roles
Session recording or command auditing can deter noisy manual exploitation
A typo-level exploit path is easy in lab conditions but not always obvious in production

Detection/coverage: Weak scanner coverage for exact exploitability; command-history, TACACS/AAA accounting, or session-recording data is more useful than external vuln scanning.

STEP 03

Break privilege boundaries and land as root

Successful exploitation lets the attacker cross from a low-privileged CLI context into the underlying operating system's privileged context. At that point the issue stops being a CLI bug and becomes full appliance compromise.

Conditions required:

Exploit succeeds against the vulnerable parser or execution path
No additional hardening blocks root-level process execution

Where this breaks in practice:

Some appliances have command wrappers or restricted shells that reduce follow-on options
EDR coverage on network appliances is often weaker than on servers, but some environments add host monitoring

Detection/coverage: If process execution auditing exists on the appliance, this step is noisy; otherwise visibility is often poor.

STEP 04

Abuse control-plane trust

With root on SD-WAN Manager, the attacker can harvest secrets, alter templates, change policies, stage persistence, or push downstream changes across the fabric. The impact is high because this is a management node, not because the exploit itself is broadly reachable.

Conditions required:

Root access on the manager
Manager still trusted by downstream SD-WAN components

Where this breaks in practice:

Change-approval workflows and config-drift monitoring can expose malicious pushes
Out-of-band monitoring may catch abnormal policy or certificate changes

Detection/coverage: Best detected through config-drift alerts, AAA logs, certificate-change monitoring, and unusual template/policy deployment activity.

03 · Intelligence Metadata

The supporting signals.

Public record status	I did not find a public Cisco advisory, CVE.org entry, or NVD page for CVE-2026-20245 during this review. Assessment is anchored on the user-supplied metadata and comparison to Cisco's documented similar Manager CLI privesc issues such as CVE-2025-20122.
In-the-wild status	No public evidence found that this exact CVE is exploited in the wild. It is not KEV-listed per the supplied intel, and Cisco's recent public exploitation notices for SD-WAN have involved other CVEs, not this one.
Proof-of-concept availability	No public PoC located for this exact CVE. Comparable Cisco SD-WAN Manager CLI flaws show the pattern is feasible, but I found no weaponized repo or exploit write-up specifically for CVE-2026-20245.
EPSS	No public EPSS score was observed for this exact CVE in current public lookups. Treat EPSS as unavailable, not low.
KEV status	Not listed in the CISA Known Exploited Vulnerabilities Catalog.
CVSS vector readout	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` means exploitation is easy once you already have local authenticated access. That is a strong technical impact score with a major operational caveat.
Affected versions	Exact vulnerable release ranges are not publicly confirmed for this CVE from the sources I could verify. Comparable Manager CLI privesc issues have historically affected specific 20.x branches rather than every release.
Fixed versions	Exact fixed release is not publicly confirmed for this CVE. Do not assume the fix trains from prior advisories apply here without Cisco confirmation.
Exposure population	Internet exposure matters less here than with remote bugs because the chain starts at local/authenticated CLI. Still, VulnCheck reported hundreds to low-thousands of internet-exposed SD-WAN Manager instances overall, which amplifies risk if attackers can pair this with another initial-access flaw.
Disclosure / reporter	Supplied disclosure date: 2026-06-04. Reporting researcher or bug ID was not publicly confirmed in the sources I could verify.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.9/10)

The decisive factor is that this bug requires authenticated local CLI access on a tightly controlled management appliance. That means most real-world attacks only reach it after an initial compromise or insider misuse event, which is a major downward pressure on patch priority despite the high technical impact of landing as root.

MEDIUM Severity reassessment from the supplied CVSS vector and attack preconditions

LOW Exact affected/fixed version metadata for CVE-2026-20245

Why this verdict

Requires prior compromise: AV:L/PR:L on SD-WAN Manager means the attacker already has a foothold plus valid credentials on one of your most restricted systems. That is two stages past initial access, so I subtract meaningfully from Cisco's 7.8 baseline.
Reachable population is narrow: real enterprises do not expose Manager CLI to everyone; access is usually through bastions, PAM, or a small network-ops group. Each one of those controls compounds friction and cuts the practical attack pool.
Impact is still real: if exploited, root on SD-WAN Manager is not a toy outcome. The manager sits near configs, certificates, and downstream orchestration, so I am not pushing this into LOW.

Why not higher?

There is no evidence here of unauthenticated remote reachability, no public exploitation evidence for this exact CVE, and no KEV listing. A bug that starts with local authenticated CLI access on a management appliance is fundamentally different from the SD-WAN flaws that gave attackers first entry from the network.

Why not lower?

Root on the SD-WAN Manager can translate into policy tampering, secret theft, and broad downstream operational impact. Even though the exploit is post-compromise, the asset value and potential blast radius are too high to dismiss as backlog-only hygiene.

05 · Compensating Control

What to do — in priority order.

Clamp CLI access to bastions only — Force all SD-WAN Manager CLI access through approved jump hosts, deny direct admin-subnet sprawl, and narrow the allowed source IPs and user groups. For a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but this control is worth doing immediately because it directly attacks the main prerequisite.
Shrink low-priv CLI entitlements — Remove read-only CLI access from users who only need the web UI or API, and review break-glass and shared operations accounts. Again, there is no mitigation SLA for MEDIUM; treat this as durable hardening while completing patching within the remediation window.
Turn on session accountability — Enable AAA accounting, session recording where available, and external log retention for SSH/CLI activity to the manager. This will not prevent exploitation, but it raises the cost of insider misuse and gives you something to investigate if a low-priv account suddenly behaves like root.

What doesn't work

A WAF does not help; this is a CLI/local-auth flaw, not a web traffic problem.
Blocking general internet access alone is insufficient if the attacker can come through a jump host, VPN, or compromised admin workstation.
Version-only external scanning gives weak assurance because exploitability depends on local role + CLI reachability, not just an open port.

06 · Verification

Crowdsourced verification payload.

Run this on each Cisco Catalyst SD-WAN Manager appliance from a shell account that can read local release files; sudo is recommended. Save as check_vmanage_cve_2026_20245.sh and run sudo bash check_vmanage_cve_2026_20245.sh 20.12.5.4 where the argument is the vendor-confirmed fixed version for your branch; because the public fixed release for this CVE was not verifiable, the script compares the local version to the version you supply.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_vmanage_cve_2026_20245.sh
# Purpose: Best-effort local version check for Cisco Catalyst SD-WAN Manager
# Usage: sudo bash check_vmanage_cve_2026_20245.sh <fixed-version>
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

FIXED_VERSION="${1:-}"
if [ -z "$FIXED_VERSION" ]; then
  echo "UNKNOWN - usage: $0 <fixed-version>"
  exit 2
fi

trim() {
  sed 's/^[[:space:]]*//;s/[[:space:]]*$//'
}

extract_version() {
  grep -Eo '[0-9]+(\.[0-9]+){1,3}' | head -n1
}

get_current_version() {
  local v=""

  # Common local files first
  for f in /etc/cisco-release /etc/viptela-release /opt/viptela/etc/version /etc/issue; do
    if [ -r "$f" ]; then
      v=$(cat "$f" 2>/dev/null | extract_version)
      if [ -n "$v" ]; then
        echo "$v"
        return 0
      fi
    fi
  done

  # Try CLI commands if present
  if command -v show >/dev/null 2>&1; then
    v=$(show version 2>/dev/null | extract_version)
    if [ -n "$v" ]; then
      echo "$v"
      return 0
    fi
  fi

  if command -v vmanage >/dev/null 2>&1; then
    v=$(vmanage version 2>/dev/null | extract_version)
    if [ -n "$v" ]; then
      echo "$v"
      return 0
    fi
  fi

  return 1
}

version_ge() {
  # returns 0 if $1 >= $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -n1)" = "$1" ]
}

CURRENT_VERSION=$(get_current_version | trim)

if [ -z "$CURRENT_VERSION" ]; then
  echo "UNKNOWN - could not determine installed Cisco Catalyst SD-WAN Manager version"
  exit 2
fi

if version_ge "$CURRENT_VERSION" "$FIXED_VERSION"; then
  echo "PATCHED - current version $CURRENT_VERSION is >= supplied fixed version $FIXED_VERSION"
  exit 0
else
  echo "VULNERABLE - current version $CURRENT_VERSION is < supplied fixed version $FIXED_VERSION"
  exit 1
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: treat this as a post-compromise control-plane hardening issue, not an all-hands remote-edge emergency. Because the reassessed verdict is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; use that window to confirm the exact Cisco-fixed release for your branch, remove unnecessary CLI access, and patch all SD-WAN Manager nodes within the noisgate remediation SLA of ≤365 days. If you know your environment gives broad CLI access to operators or shared accounts, move it up internally even though the CVE itself does not justify panic patching.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.