Description
A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user. 
To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.
Cisco recommends that customers upgrade to the fixed software that is documented in the that was published on May 14, 2026, and verify the configuration of the edge devices.
Published: 2026-06-04
Score: 7.8 High
EPSS: 9.9% Low
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by insufficient validation of user‑supplied input in the command‑line interface of Cisco Catalyst SD‑WAN products, a weakness identified as CWE‑116. An attacker who has local netadmin credentials can upload a specially crafted file, allowing arbitrary command execution with root privileges. This privilege escalation can be used to alter the device configuration and push unauthorized settings to connected edge devices, jeopardizing confidentiality, integrity, and availability.

Affected Systems

Affected components include Cisco Catalyst SD‑WAN Controller (formerly vSmart) and Cisco Catalyst SD‑WAN Manager (formerly vManage) with the 20.12.7 release, as identified by the CPE list. The SD‑WAN Validator (formerly vBond) is referenced in the advisory but no specific version is listed; only the 20.12.7 build is explicitly cited as affected. No other versions are confirmed to be vulnerable based on the supplied data.

Risk and Exploitability

The advisory assigns a CVSS score of 7.8, indicating high severity, and an EPSS score of 10%. The vulnerability is listed in the CISA KEV catalog. Exploitation requires authenticated, local netadmin access; no remote attack vectors or other methods have been reported. Without valid netadmin credentials, the risk to a system is low, but if an attacker gains such access, privilege escalation to root is possible and could compromise the entire SD‑WAN deployment.

Generated by OpenCVE AI on June 24, 2026 at 12:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the fixed software update released on May 14 2026 as documented by Cisco’s Security Advisory.
  • Verify that edge device configurations have not been unintentionally altered and rollback any unauthorized changes.
  • Audit or restrict netadmin user privileges to limit local attack surface and consider removing unused accounts.
  • Monitor logs for unexpected file uploads or command execution attempts to detect potential exploitation attempts.

Generated by OpenCVE AI on June 24, 2026 at 12:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Cisco sd-wan Vsmart Controller
CPEs cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.7:*:*:*:*:*:*:*
cpe:2.3:a:cisco:sd-wan_vsmart_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:sd-wan_vsmart_controller:20.12.7:*:*:*:*:*:*:*
Vendors & Products Cisco sd-wan Vsmart Controller

Tue, 09 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user. To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices. Cisco recommends that customers upgrade to the fixed software that is documented in the that was published on May 14, 2026, and verify the configuration of the edge devices. A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.  To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices. Cisco recommends that customers upgrade to the fixed software that is documented in the that was published on May 14, 2026, and verify the configuration of the edge devices.

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-06-09T00:00:00+00:00', 'dueDate': '2026-06-23T00:00:00+00:00'}

Sun, 07 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco catalyst Sd-wan Manager
Vendors & Products Cisco
Cisco catalyst Sd-wan Manager

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user. To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices. Cisco recommends that customers upgrade to the fixed software that is documented in the that was published on May 14, 2026, and verify the configuration of the edge devices.
Title Cisco Catalyst SD-WAN Controller Authenticated Privilege Escalation Vulnerability
Weaknesses CWE-116
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Cisco Catalyst Sd-wan Manager Sd-wan Vsmart Controller
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-06-12T21:18:19.941Z

Reserved: 2025-10-08T11:59:15.400Z

Link: CVE-2026-20245

cve-icon Vulnrichment

Updated: 2026-06-05T02:00:12.346Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:31.763

Modified: 2026-06-10T12:59:09.600

Link: CVE-2026-20245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:15:05Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output