Actively exploited flaw found in Cisco Catalyst SD-WAN Manager

On June 6, 2026, Cisco warned that a vulnerability tracked as CVE-2026-20245 in its Catalyst SD‑WAN Manager product is being actively exploited and that a software patch is not yet available.

The flaw affects installations of Catalyst SD‑WAN Manager, the product operators use to configure and monitor SD‑WAN deployments. Cisco’s advisory states attackers have targeted the management software in real environments, prompting the vendor to assign the CVE number and publish defensive guidance.

The advisory instructs customers to reduce exposure of management interfaces and limit which systems can reach SD‑WAN Manager. Recommended steps include isolating the management appliance or virtual machine from untrusted networks, enforcing firewall rules or access control lists to restrict access, and applying network segmentation to separate management traffic from production data.

Administrators are advised to increase logging and monitoring on the appliance, look for unexpected configuration changes and unknown accounts, and follow incident-response procedures if compromise is suspected. Cisco also recommends applying intrusion prevention system rules where available to detect exploit attempts and using virtual patching on perimeter devices for temporary protection.

Security teams that manage SD‑WAN deployments reported the advisory triggered reviews of management-plane exposure and access controls. Network operators were reminded to confirm management interfaces are not directly reachable from the internet and to enforce multi-factor authentication and strict host-based restrictions where possible.

The management platform holds configuration and orchestration capabilities for routing, policy and security across branch locations. Analysts reviewing the advisory noted that successful exploitation could allow an attacker to alter routing or security policies or to deploy malicious configurations, although Cisco did not publish technical proof-of-concept details in its initial notice.

Cisco is developing a software update to remediate CVE-2026-20245 and will publish the patch and installation instructions after testing. The company encouraged customers to subscribe to its advisories and to apply the official update as soon as it becomes available. In the interim, isolating the management interface and tightening access controls remain the primary defenses.

SD‑WAN management platforms have been targeted in prior incidents because they provide centralized control over network behavior. Customers and managed-service providers are using Cisco’s advisory to prioritize mitigation steps until a verified patch is released.