According to BleepingComputer, Cisco has issued an urgent security advisory warning customers of a high-severity vulnerability in its Catalyst SD-WAN Manager that is being actively exploited in the wild — and for which no patch currently exists.
The Vulnerability
Tracked as CVE-2026-20245, the flaw resides in the Cisco Catalyst SD-WAN Manager, a platform widely used by enterprises to centrally manage and orchestrate their software-defined wide area network fabric. Successful exploitation allows an authenticated, remote attacker to escalate privileges to root on the underlying operating system of an affected device.
According to Cisco's disclosure, the vulnerability stems from improper input validation in the SD-WAN Manager's management interface. An attacker with valid low-privilege credentials could send specially crafted requests to achieve full root-level access, effectively taking complete control of the device.
Why This Matters
What elevates this issue beyond a typical advisory is its status as a true zero-day: Cisco confirmed that exploitation has already been observed in real-world attacks before a fix could be developed and distributed. Organisations running the affected product face an immediate and active threat window with no vendor-supplied remedy on the table.
For enterprises relying on SD-WAN architectures — particularly those managing distributed branch offices, remote sites, or hybrid cloud connectivity — the Catalyst SD-WAN Manager sits at the heart of network orchestration. A compromised management node could give attackers visibility into network topology, the ability to reroute traffic, and a foothold for lateral movement across the wider infrastructure.
The vulnerability affects multiple versions of the Catalyst SD-WAN Manager. Cisco has published a list of impacted software releases in its advisory and is urging administrators to review their deployments immediately.
Recommended Mitigations
In the absence of a software fix, Cisco has outlined several interim defensive measures that organisations should implement without delay:
- Restrict management-plane access. Limit connectivity to the SD-WAN Manager's management interface to only trusted, hardened networks. Exposure to the public internet or untrusted segments should be eliminated entirely.
- Enforce strong authentication controls. Given that exploitation requires valid credentials, organisations should ensure multi-factor authentication is enabled for all administrative accounts and audit credential hygiene across the board.
- Enhance logging and monitoring. Cisco recommends enabling detailed audit logging on affected systems and actively monitoring for anomalous management activity, unexpected session origins, or signs of privilege escalation.
- Prepare incident response playbooks. Security teams should treat any SD-WAN Manager compromise as a high-priority incident and have containment procedures ready — including the ability to isolate affected nodes from production networks.
The Broader Picture
This disclosure follows a pattern of attackers increasingly targeting network management infrastructure, which often holds elevated privileges and broad visibility across enterprise environments. SD-WAN platforms, by design, must communicate with numerous branch devices and cloud gateways — making them high-value targets for threat actors seeking to establish persistent, wide-reaching access.
The fact that exploitation preceded the advisory — first reported by BleepingComputer — underscores the speed at which sophisticated attackers can identify and weaponise flaws in critical infrastructure software. For IT teams, the window between discovery and disclosure is often already too late.
As of the disclosure, Cisco has not attributed the observed exploitation to any specific threat actor or group.
據 BleepingComputer 報導,思科已發布緊急安全公告,警告客戶其 Catalyst SD-WAN Manager 平台存在一個高危漏洞,且該漏洞正被積極利用——而目前尚無可用的修補程式。
漏洞詳情
該漏洞的追蹤編號為 CVE-2026-20245,存在於 Cisco Catalyst SD-WAN Manager 中。這是一個被企業廣泛用於集中管理和編排其軟件定義廣域網結構的平台。成功利用此漏洞可允許經過身份驗證的遠端攻擊者將受影響設備底層作業系統的權限提升至 root。
根據思科的披露,此漏洞源於 SD-WAN Manager 管理介面中的輸入驗證不當。擁有有效的低權限憑據的攻擊者可以發送特製的請求,以獲取完全的 root 級別存取權限,從而實質上完全控制設備。
重要性所在
使此問題超越一般公告之處,在於其作為一個真正的「零日」漏洞的狀態:思科已確認,在修補程式能夠開發和分發之前,就已在真實世界的攻擊中觀察到此漏洞的利用。運行受影響產品的組織面臨一個即時且活躍的威脅窗口,且目前沒有供應商提供的解決方案。
對於依賴 SD-WAN 架構的企業——特別是管理分散式分支辦公室、遠端站點或混合雲端連接的企業——Catalyst SD-WAN Manager 位於網絡編排的核心。一個被入侵的管理節點可能讓攻擊者獲得網絡拓撲的可見性、重新路由流量的能力,以及在整個基礎設施內進行橫向移動的立足點。
該漏洞影響多個版本的 Catalyst SD-WAN Manager。思科已在公告中列出了受影響的軟件版本,並敦促管理員立即審查其部署情況。
建議的緩解措施
在缺乏軟件修補程式的情況下,思科概述了組織應立即實施的若干臨時防禦措施:
- 限制管理平面存取。 將 SD-WAN Manager 管理介面的連接僅限於受信任、經過加固的網絡。應完全消除暴露於公共互聯網或不受信任的網段。
- 實施強身份驗證控制。 鑑於利用此漏洞需要有效的憑據,組織應確保所有管理帳戶均已啟用多因素身份驗證,並全面審查憑據的衛生狀況。
- 增強日誌記錄和監控。 思科建議在受影響的系統上啟用詳細的審計日誌記錄,並積極監控異常的管理活動、意外的會話來源或權限提升的跡象。
- 準備事件響應預案。 安全團隊應將任何 SD-WAN Manager 被入侵事件視為高優先級事件,並準備好遏制程序——包括能夠將受影響節點從生產網絡中隔離的能力。
更宏觀的視角
此次披露遵循了一種模式:攻擊者正越來越多地瞄準網絡管理基礎設施,這些設施通常擁有提升的權限並在企業環境中具有廣泛的可見性。SD-WAN 平台,就其設計而言,必須與眾多分支設備和雲端閘道器通信——這使其成為尋求建立持久、廣泛存取權限的威脅行為者的高價值目標。
在公告之前就已發生利用的事實——首先由 BleepingComputer 報導——凸顯了老練的攻擊者識別並武器化關鍵基礎設施軟件中的漏洞的速度之快。對於 IT 團隊而言,從發現到披露之間的窗口期往往為時已晚。
截至披露之時,思科尚未將觀察到的漏洞利用歸因於任何特定的威脅行為者或組織。