Cisco on June 4 reported that a vulnerability in the command line interface (CLI) of Cisco Catalyst SD-WAN Manager was actively exploited, the seventh time this year a Cisco SD-WAN bug was exploited in the wildIn its advisory, Cisco noted that it observed “limited cases” in which the exploitation of this most recent bug resulted in a configuration change pushed to edge devices.The Cybersecurity Infrastructure and Security Agency (CISA) has not yet added the high-severity bug — CVE-2026-20245 — to its list of Known Exploited Vulnerabilities (KEV), but Cisco advised teams to apply the fixed software that it documented in the Catalyst SD-WAN Advisory published on May 14 and verify the configuration of the edge devices.Cisco has not yet released a patch for this bug and there’s still little known about which organizations were exploited. Security pros said teams have to come to grips with the reality that SD-WAN gear from the likes of Cisco has become a favorite target of attackers.“Attackers increasingly recognize that compromising the systems designed to manage and secure networks can offer broad access, persistence, and control over enterprise environments,” said Heath Renfrow, co-founder and chief information security officer at Fenix24.“While this latest vulnerability requires authenticated access, security teams should not dismiss it as low risk: threat actors rarely rely on a single vulnerability. They chain together credential theft, previously disclosed vulnerabilities, misconfigurations, and privilege escalation flaws to move from initial access to full administrative control.”Renfrow underscored that organizations face severe consequences from a compromise of an SD-WAN management platform: when attackers gain control of the SD-WAN controller, they can potentially manipulate routing policies, intercept or redirect traffic, disable security controls, establish persistence across branch locations, facilitate lateral movement, and disrupt business operations at scale.“In many organizations, SD-WAN platforms sit at a critical intersection between connectivity, security, and operational resilience,” noted Renfrow.Ericka Downs, vice president at MSP group Courser, added that the industry has clearly entered a period where a steady stream of critical vulnerabilities has becoming part of normal operations, especially in core infrastructure platforms like SD-WAN. Downs said the Cisco case shows this isn’t just about volume: it’s about chained vulnerabilities, active exploitation before patches exist, and high-impact systems being repeatedly targeted.“This doesn’t have to be the end state,” said Downs. “The way out isn’t just faster patching, it’s shifting how we operate: assuming exposure windows will exist, designing architectures that limit the blast radius, and moving from vulnerability management to continuous exposure management and containment. At a leadership level, the mantra should be that security success is no longer defined by preventing every vulnerability, but by our ability to operate resiliently in spite of them.”Sunil Gottumukkala, chief executive officer of Averlon, pointed out that a recurring pattern with these exploits usually signals underlying code quality worth a deeper look. Gottumukkala said it’s now a strong case for Cisco to invest heavily in in-depth scanning.“Frontier models like Claude Mythos and OpenAI's Codex Security have been quite effective at finding logic issues that traditional scanners have struggled to find,” said Gottumukkala. “Cisco should prioritize this ASAP if they haven't already.”
Gottumukkala added that defenders are in a tough situation because SD-WAN Manager effectively operates as the network's control plane. In addition to applying patches as they become available, Gottumukkala said teams should focus on reducing SD-WAN Manager's exposure: tightly restrict and monitor netadmin access, and treat the management plane as critical infrastructure to segment and watch closely.“And given how steadily these are surfacing, assume more are coming and manage that system accordingly rather than waiting for the next patch,” said Gottumukkala.
Gottumukkala added that defenders are in a tough situation because SD-WAN Manager effectively operates as the network's control plane. In addition to applying patches as they become available, Gottumukkala said teams should focus on reducing SD-WAN Manager's exposure: tightly restrict and monitor netadmin access, and treat the management plane as critical infrastructure to segment and watch closely.“And given how steadily these are surfacing, assume more are coming and manage that system accordingly rather than waiting for the next patch,” said Gottumukkala.
