Cisco has confirmed that attackers are exploiting a zero-day flaw in Catalyst SD-WAN Manager — the platform that controls SD-WAN networks — and there’s no patch for it yet. The bug, tracked as CVE-2026-20245, lets an attacker with admin-level access run commands as root, and it’s being chained with two earlier authentication-bypass flaws that hand attackers exactly that access, as reported by Help Net Security. Cisco has already seen attackers push configuration changes out to edge devices.

This affects every Cisco SD-WAN deployment type: on-premises, cloud and Cisco-managed. If your business — or your IT provider — uses Cisco SD-WAN to link offices, sites or venues, this applies to you. Root access to the management layer means an attacker can quietly reconfigure your entire network, not just one box.

What to do now

Cisco’s advice is unusually specific. Run request admin-tech on each SD-WAN control component first to preserve evidence, then upgrade to the fixed software listed in the May advisory for CVE-2026-20182, which closes off the known entry points. Check your logs against Cisco’s published indicators of compromise. If you find a match, don’t stop at patching — a compromised system needs the remediation steps from Cisco TAC, because the update alone won’t evict anyone already inside.

Not sure whether Cisco SD-WAN sits anywhere in your network? Ask your IT provider today. If you’d like a second set of eyes, our cybersecurity team can help.