Seven. That is the number of Cisco Catalyst SD-WAN Manager vulnerabilities confirmed as actively exploited in the wild in 2026. The latest, CVE-2026-20245, was disclosed in early June after Mandiant discovered it had been used in a real intrusion for at least two months before anyone told Cisco. The attacker gained root on a service provider's SD-WAN management plane, created a rogue shell account named "troot," then wiped the logs. A patch shipped June 12. If you run Cisco SD-WAN, you need to understand what this number means.
What CVE-2026-20245 actually does
CVE-2026-20245 lives in the command-line interface of Cisco Catalyst SD-WAN Manager. An attacker with netadmin-level credentials can upload a specially crafted file and cause the system to execute arbitrary commands as root. The CVSS base score is 7.8, which is "high" but not "critical" because it requires local authentication. Do not let that number anchor your risk assessment. Netadmin credentials are not uncommon across large network operations teams, and this flaw was chain-exploited after two earlier zero-days, CVE-2026-20182 and CVE-2026-20127, provided initial authenticated access.
The attacker who exploited CVE-2026-20245 in the wild was not improvising. The rogue account "troot" was created with unrestricted shell access. Log clearing ran immediately after. This is a threat actor running a deliberate operational security playbook against a high-value target: a service provider's entire SD-WAN management plane.
The seven exploited flaws
The full list of Cisco SD-WAN vulnerabilities confirmed exploited in 2026: CVE-2026-20182 (authentication bypass), CVE-2026-20127 (command injection), CVE-2026-20122 (path traversal), CVE-2026-20128 (privilege escalation), CVE-2026-20133 (improper access control), CVE-2022-20775 (an older flaw from 2022 still being leveraged), and CVE-2026-20245 (CLI privilege escalation to root). Multiple entries were exploited as zero-days. That means attackers had working exploit code before Cisco had a patch available.
One product family. One product category. Six months. Seven zero-days. This is not a coincidence. Someone is investing serious resources in finding and weaponizing Cisco SD-WAN vulnerabilities specifically. Whether that is a nation-state team, a well-resourced criminal group, or both, the operational priority is clear.
Why this matters more than typical vulnerability churn
SD-WAN management platforms control routing decisions, traffic flows, and the connectivity of every branch office on a WAN. Compromising the management plane is not like compromising a single server. It gives an attacker visibility and influence over an entire network's behavior. For service providers, it is worse: their SD-WAN management plane is an administrative layer over their customers' infrastructure. A single compromise can cascade.
The zero-day exploitation windows compound this. CVE-2026-20245 was used for at least two months before Cisco knew. During that window, there was no patch to apply and no vendor advisory to act on. The only available defense was behavioral detection: monitoring for unexpected file uploads via the CLI, unauthorized account creation, and log clearing. How many organizations running Cisco SD-WAN had those detections deployed and tuned?
What to do
Patch CVE-2026-20245 now if you have not. The fix was available June 12. Audit your SD-WAN Manager user accounts for unexpected entries, with specific attention to accounts created in the past several months. Enable alerts on new local account creation, file uploads via the CLI, and log clearing commands. If you are a service provider operating shared SD-WAN infrastructure, your management plane needs the same access controls and monitoring depth as your most sensitive identity systems.
Longer term: the seven-zero-day pattern signals that Cisco SD-WAN is under sustained security research pressure from well-resourced adversaries. If you are conducting procurement reviews or network architecture assessments, this pattern belongs in your threat model alongside the technical CVE scores.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if your organization needs help assessing SD-WAN security posture or building detection coverage for network device exploitation.