CISCO-SA-SDWAN-PRIVESC-4UXFRDZX
Vulnerability from csaf_cisco - Published: 2026-06-04 22:27 - Updated: 2026-06-05 21:23Summary
Cisco Catalyst SD-WAN Manager Authenticated Privilege Escalation Vulnerability
Notes
Summary: A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.
To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of CVE-2026-20182 ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW"] or CVE-2026-20127 ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk"]. Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.
Cisco recommends that customers upgrade to the fixed software that is documented in the Catalyst SD-WAN Security Advisory ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW"] that was published on May 14, 2026, and verify the configuration of the edge devices.
Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Important: To preserve possible indicators of compromise, customers should issue the request admin-tech ["https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/225842-remediate-catalyst-sd-wan-security.html"] command from each of the control components in the SD-WAN deployment before upgrading. After the admin-tech file has been collected, software should be upgraded at the earliest opportunity.
Before upgrading an SD-WAN deployment to a fixed release, retain relevant logs. After upgrading, verify that the system has not been compromised by checking the logs for the indicators of compromise as documented in this advisory. If the logs show indicators of compromise and the system is confirmed to be compromised, applying the software update alone will not resolve the vulnerability. In such cases, follow the specific remediation steps that will be provided by the Cisco Technical Assistance Center (TAC) to help secure the system. This section will be updated as information becomes available.
Vulnerable Products: This vulnerability affects Cisco Catalyst SD-WAN Manager, regardless of device configuration.
This vulnerability affects all deployment types, including:
On-Prem Deployment
Cisco SD-WAN Cloud-Pro
Cisco SD-WAN Cloud (Cisco Managed)
Cisco SD-WAN for Government (FedRAMP)
For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory.
Products Confirmed Not Vulnerable: Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability.
Indicators of Compromise: Cisco Catalyst SD-WAN Manager systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise. In some instances, these indicators of compromise may occur during standard operations. Therefore, they must be assessed against normal network posture to identify and avoid false positives.
Customers are encouraged to audit the scripts.log file, located at /var/log/, for entries that are shown in the following examples:
Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0
Jun 5 13:06:39 Manager vScript: vSmart upload serial numbers: /usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh -cli path /home/admin/vsmart_serial_numbers_safe.csv
Jun 5 13:08:47 Validator vScript: ZTP upload chassis numbers: /usr/bin/vconfd_script_upload_chassis_number_file.sh -cli path /home/admin/chassis_numbers_safe.csv
Note: These are legitimate commands, and the logs will not distinguish between legitimate and malicious use. Customers who observe these logs and are uncertain about their origin or intent should contact the Cisco TAC for further assistance.
For help determining if a Cisco Catalyst SD-WAN Manager has been compromised, customers may open a case with the Cisco TAC. Before opening a new Cisco TAC case, customers are encouraged to issue the request admin-tech command from each of the control components in the SD-WAN deployment so that the admin-tech file can be provided to the Cisco TAC for review. This should include any edge devices that may show recent unauthorized changes to configuration.
Workarounds: There are no workarounds that address this vulnerability.
Fixed Software: Cisco plans to address this vulnerability in Cisco Catalyst SD-WAN Manager in a future release. This section will be updated as information becomes available.
Customers who need additional information are advised to contact the Cisco TAC or their contracted maintenance providers.
Vulnerability Policy: To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Exploitation and Public Announcements: In June 2026, the Cisco Product Security Incident Response Team (PSIRT) became aware of exploitation of this vulnerability.
To exploit this vulnerability, an attacker must have netadmin privileges on an affected system. This would require valid credentials or exploitation of CVE-2026-20182 ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW"] or CVE-2026-20127 ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk"]. Cisco is not aware of successful exploitation by other methods.
Source: Cisco would like to thank Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan of Mandiant for reporting this vulnerability.
Legal Disclaimer: SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT
The Cisco Support and Downloads ["https://www.cisco.com/c/en/us/support/index.html"] page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid.
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC) ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"]. Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories ["https://www.cisco.com/go/psirt"] for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) ["https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"] or their contracted maintenance providers.
LEGAL DISCLAIMER DETAILS
CISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
Copies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories ["https://www.cisco.com/go/psirt"] page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"] for more information.
7.8 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Cisco Catalyst SD-WAN Manager
Cisco
|
— |
Vendor Fix
fix
|
References
10 references
Acknowledgments
{
"document": {
"acknowledgments": [
{
"summary": "Cisco would like to thank Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan of Mandiant for reporting this vulnerability."
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"notes": [
{
"category": "summary",
"text": "A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.\r\n\r\nThis vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.\r\n\r\nTo exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of CVE-2026-20182 [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW\"] or CVE-2026-20127 [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk\"]. Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.\r\n\r\nCisco recommends that customers upgrade to the fixed software that is documented in the Catalyst SD-WAN Security Advisory [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW\"] that was published on May 14, 2026, and verify the configuration of the edge devices.\r\n\r\nCisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\r\n\r\nImportant: To preserve possible indicators of compromise, customers should issue the request admin-tech [\"https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/225842-remediate-catalyst-sd-wan-security.html\"] command from each of the control components in the SD-WAN deployment before upgrading. After the admin-tech file has been collected, software should be upgraded at the earliest opportunity.\r\n\r\nBefore upgrading an SD-WAN deployment to a fixed release, retain relevant logs. After upgrading, verify that the system has not been compromised by checking the logs for the indicators of compromise as documented in this advisory. If the logs show indicators of compromise and the system is confirmed to be compromised, applying the software update alone will not resolve the vulnerability. In such cases, follow the specific remediation steps that will be provided by the Cisco Technical Assistance Center (TAC) to help secure the system. This section will be updated as information becomes available.\r\n\r\n",
"title": "Summary"
},
{
"category": "general",
"text": "This vulnerability affects Cisco Catalyst SD-WAN Manager, regardless of device configuration.\r\n\r\nThis vulnerability affects all deployment types, including:\r\n\r\nOn-Prem Deployment\r\nCisco SD-WAN Cloud-Pro\r\nCisco SD-WAN Cloud (Cisco Managed)\r\nCisco SD-WAN for Government (FedRAMP)\r\n\r\nFor information about which Cisco software releases are vulnerable, see the Fixed Software [\"#fs\"] section of this advisory.",
"title": "Vulnerable Products"
},
{
"category": "general",
"text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.",
"title": "Products Confirmed Not Vulnerable"
},
{
"category": "general",
"text": "Cisco Catalyst SD-WAN Manager systems that are exposed to the internet and that have ports exposed to the internet are at risk of exposure to compromise. In some instances, these indicators of compromise may occur during standard operations. Therefore, they must be assessed against normal network posture to identify and avoid false positives.\r\n\r\nCustomers are encouraged to audit the scripts.log file, located at /var/log/, for entries that are shown in the following examples:\r\n\r\n\r\nApr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0\r\n\r\n\r\nJun 5 13:06:39 Manager vScript: vSmart upload serial numbers: /usr/bin/vconfd_script_upload_vsmart_serial_numbers.sh -cli path /home/admin/vsmart_serial_numbers_safe.csv\r\n\r\n\r\nJun 5 13:08:47 Validator vScript: ZTP upload chassis numbers: /usr/bin/vconfd_script_upload_chassis_number_file.sh -cli path /home/admin/chassis_numbers_safe.csv\r\n\r\nNote: These are legitimate commands, and the logs will not distinguish between legitimate and malicious use. Customers who observe these logs and are uncertain about their origin or intent should contact the Cisco TAC for further assistance.\r\n\r\nFor help determining if a Cisco Catalyst SD-WAN Manager has been compromised, customers may open a case with the Cisco TAC. Before opening a new Cisco TAC case, customers are encouraged to issue the request admin-tech command from each of the control components in the SD-WAN deployment so that the admin-tech file can be provided to the Cisco TAC for review. This should include any edge devices that may show recent unauthorized changes to configuration.",
"title": "Indicators of Compromise"
},
{
"category": "general",
"text": "There are no workarounds that address this vulnerability.",
"title": "Workarounds"
},
{
"category": "general",
"text": "Cisco plans to address this vulnerability in Cisco Catalyst SD-WAN Manager in a future release. This section will be updated as information becomes available.\r\n\r\nCustomers who need additional information are advised to contact the Cisco TAC or their contracted maintenance providers.",
"title": "Fixed Software"
},
{
"category": "general",
"text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
"title": "Vulnerability Policy"
},
{
"category": "general",
"text": "In June 2026, the Cisco Product Security Incident Response Team (PSIRT) became aware of exploitation of this vulnerability.\r\n\r\nTo exploit this vulnerability, an attacker must have netadmin privileges on an affected system. This would require valid credentials or exploitation of CVE-2026-20182 [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW\"] or CVE-2026-20127 [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk\"]. Cisco is not aware of successful exploitation by other methods.",
"title": "Exploitation and Public Announcements"
},
{
"category": "general",
"text": "Cisco would like to thank Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan of Mandiant for reporting this vulnerability.",
"title": "Source"
},
{
"category": "legal_disclaimer",
"text": "SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT\r\n\r\nThe Cisco Support and Downloads [\"https://www.cisco.com/c/en/us/support/index.html\"] page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid.\r\n\r\nCustomers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC) [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"]. Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.\r\n\r\nWhen considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories [\"https://www.cisco.com/go/psirt\"] for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) [\"https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html\"] or their contracted maintenance providers.\r\nLEGAL DISCLAIMER DETAILS\r\n\r\nCISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nCopies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories [\"https://www.cisco.com/go/psirt\"] page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"] for more information.",
"title": "Legal Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@cisco.com",
"issuing_authority": "Cisco PSIRT",
"name": "Cisco",
"namespace": "https://wwww.cisco.com"
},
"references": [
{
"category": "self",
"summary": "Cisco Catalyst SD-WAN Manager Authenticated Privilege Escalation Vulnerability",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx"
},
{
"category": "external",
"summary": "Cisco Security Vulnerability Policy",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "CVE-2026-20182",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW"
},
{
"category": "external",
"summary": "CVE-2026-20127",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk"
},
{
"category": "external",
"summary": "request admin-tech",
"url": "https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/225842-remediate-catalyst-sd-wan-security.html"
},
{
"category": "external",
"summary": "Security Vulnerability Policy",
"url": "http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html"
},
{
"category": "external",
"summary": "Cisco Support and Downloads",
"url": "https://www.cisco.com/c/en/us/support/index.html"
},
{
"category": "external",
"summary": "Cisco Technical Assistance Center (TAC)",
"url": "https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html"
},
{
"category": "external",
"summary": "considering software upgrades",
"url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
},
{
"category": "external",
"summary": "the advisories",
"url": "https://www.cisco.com/go/psirt"
}
],
"title": "Cisco Catalyst SD-WAN Manager Authenticated Privilege Escalation Vulnerability",
"tracking": {
"current_release_date": "2026-06-05T21:23:51+00:00",
"generator": {
"date": "2026-06-05T21:23:54+00:00",
"engine": {
"name": "TVCE"
}
},
"id": "cisco-sa-sdwan-privesc-4uxFrdzx",
"initial_release_date": "2026-06-04T22:27:00+00:00",
"revision_history": [
{
"date": "2026-06-04T22:26:57+00:00",
"number": "1.0.0",
"summary": "Initial public release."
},
{
"date": "2026-06-05T14:38:56+00:00",
"number": "1.1.0",
"summary": "Updated source to include researchers."
},
{
"date": "2026-06-05T21:23:51+00:00",
"number": "1.2.0",
"summary": "Updated indicators of compromise."
}
],
"status": "interim",
"version": "1.2.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_family",
"name": "Cisco Catalyst SD-WAN Manager",
"product": {
"name": "Cisco Catalyst SD-WAN Manager ",
"product_id": "CSAFPID-271450"
}
}
],
"category": "vendor",
"name": "Cisco"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-20245",
"ids": [
{
"system_name": "Cisco Bug ID",
"text": "CSCwu18563"
}
],
"notes": [
{
"category": "other",
"text": "Complete.",
"title": "Affected Product Comprehensiveness"
}
],
"product_status": {
"known_affected": [
"CSAFPID-271450"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Cisco has released software updates that address this vulnerability.",
"product_ids": [
"CSAFPID-271450"
],
"url": "https://software.cisco.com"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-271450"
]
}
],
"title": "Cisco Catalyst SD-WAN Controller Authenticated Privilege Escalation Vulnerability"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…