Description
A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user.
To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.
Cisco recommends that customers upgrade to the fixed software that is documented in the that was published on May 14, 2026, and verify the configuration of the edge devices.
Published: 2026-06-04
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the CLI of Cisco Catalyst SD‑WAN Manager, allowing an authenticated, local attacker who can upload a crafted file to execute arbitrary system commands. The flaw results from insufficient validation of user‑supplied input, giving the attacker the ability to perform command injection and raise their privileges to root, providing full control over the affected device.

Affected Systems

The flaw affects Cisco’s Catalyst SD‑WAN Manager (previously known as vManage). No specific software versions are listed in the advisory, so all deployments using this component are potentially impacted until a patch is applied.

Risk and Exploitability

The CVSS score of 7.8 places the issue in the High severity range. The EPSS is currently unavailable, making it unclear how often the vulnerability is targeted, and it is not yet listed in the CISA KEV catalog. Exploitation requires valid netadmin credentials on the local system; no remote vectors or zero‑day exploits are currently documented. Because the script can elevate an authenticated user to root, the risk to confidentiality, integrity, and availability is significant if an attacker gains netadmin access.

Generated by OpenCVE AI on June 4, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Cisco‑released patch or software update published on May 14, 2026, to address the command injection flaw.
  • Verify that edge device configurations have not been altered unexpectedly and restore any unauthorized changes.
  • Restrict netadmin privileges to trusted personnel and enforce the principle of least privilege for local users.

Generated by OpenCVE AI on June 4, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user. To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices. Cisco recommends that customers upgrade to the fixed software that is documented in the that was published on May 14, 2026, and verify the configuration of the edge devices.
Title Cisco Catalyst SD-WAN Controller Authenticated Privilege Escalation Vulnerability
Weaknesses CWE-116
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-06-05T02:00:17.103Z

Reserved: 2025-10-08T11:59:15.400Z

Link: CVE-2026-20245

cve-icon Vulnrichment

Updated: 2026-06-05T02:00:12.346Z

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:31.763

Modified: 2026-06-04T23:17:31.763

Link: CVE-2026-20245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T00:00:08Z

Weaknesses