The threat is real. Unknown miscreants are exploiting a high-severity, zero-day bug in Cisco’s SD-WAN management software, and the networking giant hasn’t said when it will patch the flaw. Cisco issued an advisory on Thursday for the Catalyst SD-WAN Manager vulnerability, tracked as CVE-2026-20245, and it sounds like attackers have been exploiting this security failure for at least the last week. It’s due to a validation error – the software fails to properly validate user-supplied input – and an authenticated, local attacker can exploit the flaw by uploading a specially crafted file to vulnerable systems. From there, they can escalate privileges and execute commands with root privileges. The vulnerability affects all versions of the SD-WAN software, regardless of device configuration, and across all deployment types including on-premises, cloud-based, and FedRAMP-certified deployments. Switchzilla says it became aware of attacks against this vulnerability in June. “To exploit this vulnerability, an attacker must have netadmin privileges on an affected system,” the vendor said. “This would require valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. Cisco is not aware of successful exploitation by other methods.” Both of these earlier SD-WAN security holes have also been hit by attackers in previous months. The good news: an attacker needs valid credentials to abuse the new hole. The bad news: exposed credentials aren’t hard to find (or buy) online. We don’t know the scope of exploitation or exactly when attackers began hitting this SD-WAN hole. Cisco declined to answer The Register’s questions, and instead sent us a statement via email. “Cisco recommends customers upgrade to the fixed software released in May 2026 for CVE-2026-20182 as a protective measure,” a spokesperson said. “A patch for this vulnerability will be provided on a future date. Customers needing assistance should contact Cisco TAC.” This latest bug is the sixth SD-WAN vulnerability listed as under attack since the start of the year, and the second zero-day in two months. The most recent is the one the Cisco spokesperson mentioned in an email to The Register. In May, Switchzilla disclosed a max-severity make-me-admin bug (CVE-2026-20182) affecting Catalyst SD-WAN Controller and Manager, and warned that attackers had already found and exploited the hole before it issued a patch. A month earlier, America’s lead cyber-defense agency said that three Cisco Catalyst SD-WAN Manager bugs (CVE-2026-20128, CVE-2026-20133, and CVE-2026-20122) were under attack, and gave federal agencies just four days to patch the security holes. Cisco fixed all three CVEs in late February, and in March warned of attackers abusing two of them. Also in February, the networking vendor patched a max-severity improper authentication flaw (CVE-2026-20127) affecting the same SD-WAN software, prompting a Five Eyes countries’ joint intelligence alert urgently warning defenders to patch it – plus an old SD-WAN vulnerability (CVE-2022-20775) – or risk root takeover. “Malicious cyber threat actors are targeting Cisco Catalyst SD-WAN used by organizations globally,” the UK’s lead cyber agency said at the time. “These actors are compromising SD-WANs to add a malicious rogue peer and then conduct a range of follow-on actions to achieve root access and maintain persistent access to the SD-WAN.” And while this one isn’t listed as under active exploitation (yet), on Wednesday, Cisco warned about a proof-of-concept exploit for CVE-2026-20230, a critical bug in its Unified Communications Manager that also allows attackers to gain root privileges. ®