Analyst readout for executives and security teams
Plain-English summary
CVE-2026-20245 lets a user with netadmin privileges on Cisco Catalyst SD-WAN Manager escalate to root through a crafted file processed by the CLI. The main business risk is loss of control over the SD-WAN controller and potentially unauthorized configuration pushed to edge devices.
Executive priority
Prioritize remediation for any production SD-WAN Manager instance because controller compromise can affect branch connectivity, routing policy, and edge-device configuration integrity. Treat observed configuration drift as an incident trigger.
Technical view
Cisco describes insufficient validation of user-supplied input in the CLI of Catalyst SD-WAN Manager, formerly vManage. An authenticated local attacker with netadmin privileges can upload a crafted file, trigger command injection, and execute commands as root. CVSS 3.1 is 7.8 high.
Likely exposure
Exposure is limited to Cisco Catalyst SD-WAN Manager deployments running affected versions, with practical risk concentrated around accounts or attack paths that can reach netadmin privileges on the controller.
Exploitation context
Cisco reports limited cases where exploitation resulted in configuration changes pushed to edge devices. KEV status is false in the provided bundle. Cisco says exploitation requires netadmin privileges, valid credentials, or exploitation of referenced related vulnerabilities; evidence of other methods is not provided.
Researcher notes
The flaw is local authenticated privilege escalation via CLI input validation failure, mapped to CWE-116. The public bundle does not provide exploit details or fixed-version specifics beyond Cisco's advisory reference, so validation should focus on version status, privilege paths, and configuration-change evidence.
Mitigation direction
- Upgrade to the fixed Cisco software identified in the May 14, 2026 advisory.
- Verify edge device configurations for unauthorized or unexpected changes.
- Review and restrict netadmin access on SD-WAN Manager.
- Check Cisco guidance for exact fixed release targets and upgrade sequencing.
- Investigate related referenced Cisco SD-WAN vulnerabilities in the same environment.
Validation and detection
- Inventory Cisco Catalyst SD-WAN Manager versions against Cisco's affected-version list.
- Confirm SD-WAN Manager has been upgraded to a Cisco-documented fixed release.
- Review netadmin accounts for unexpected users, stale access, or recent changes.
- Check controller and edge device configuration history for unauthorized pushes.
- Correlate SD-WAN Manager activity with the May 2026 Cisco advisory timeline.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-116: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupExecution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupPrivilege behavior lookup
The CVE wording references privilege impact, so privilege escalation and authorization behavior review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2026-20245 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 7.8 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9 cisco Vulnerability scoring details
Base CVSS 3.1 score
7.8 HighVector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
- CVE reserved CVE Program
The CVE ID was reserved by the assigning CNA.
- CVE published CVE Program
The CVE record was published.
- CVE updated CVE Program
The CVE record metadata indicates this as the latest update time.
Source materials
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE mapping pending import
This CVE carries a CWE mapping that will resolve to a full Glexia CWE intelligence page after the official CWE import is complete.