Cisco warns of unpatched SD-WAN zero-day exploited in attacks

Cisco warns of an actively exploited high-severity zero-day (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager (vManage) that allows local attackers with netadmin privileges to perform command injection and escalate to root. Cisco observed limited exploitation cases, provided an IOC log example showing attempted tenant list uploads, and advised customers to open TAC cases and apply mitigations while patches are not yet available; the issue may be chained with other recently exploited SD-WAN CVEs.