Cisco Catalyst SD-WAN Zero-Day Actively Exploited — No Patch Yet

What Happened

Cisco has issued an urgent advisory for CVE-2026-20245, a high-severity privilege escalation zero-day in Cisco Catalyst SD-WAN Manager that is being actively exploited in the wild. The flaw allows an attacker to escalate to root on affected devices — and as of this writing, Cisco has not released a patch.

This is not a theoretical risk. Confirmed in-the-wild exploitation means attackers already have working exploit code and are using it.

Why It Matters

Cisco Catalyst SD-WAN Manager is the centralized control plane for SD-WAN deployments. Root-level compromise of the manager doesn't just mean one node is owned — it means an attacker can potentially manipulate routing policy, intercept traffic, pivot to connected branches, and move laterally across your entire WAN fabric.

For organizations running hybrid or multi-site networks on Cisco SD-WAN, this is a critical exposure. The combination of:

• Active exploitation (not just proof-of-concept)
• No patch available
• Root-level impact
• Centralized management-plane target

...makes this the highest-priority item on your board right now.

What to Do

1. Restrict access to the SD-WAN Manager immediately. If the management interface is reachable from the internet or untrusted segments, firewall it off now. It should only be accessible from your jump hosts or management VLANs.

1. Audit authentication logs on your SD-WAN Manager for anomalous login attempts, unexpected privilege changes, or unfamiliar sessions.

1. Monitor Cisco's advisory page for patch releases — apply any fix the moment it drops. Subscribe to Cisco's PSIRT notifications if you haven't already.

1. Check for indicators of compromise. Look for unexpected root-level processes, modified configuration files, or unusual outbound connections from the manager appliance.

1. Segment your blast radius. Ensure your SD-WAN Manager cannot initiate arbitrary connections to internal systems beyond its functional scope.

No workaround has been confirmed effective yet — network isolation is your primary control until Cisco ships a fix. Treat this as a fire drill: if you're running Catalyst SD-WAN Manager in your environment, act before the end of business today.