Active Exploitation of Cisco Catalyst SD‑WAN Manager (CVE‑2026‑20245) Added to CISA KEV Catalog
What It Is – CISA has placed CVE‑2026‑20245, an improper output‑encoding flaw in Cisco Catalyst SD‑WAN Manager, into its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability allows an unauthenticated attacker to inject crafted data that can lead to cross‑site scripting (XSS) or command injection on the management interface.
Exploitability – Threat‑intel feeds confirm active exploitation in the wild; proof‑of‑concept code is publicly available. CVSS v3.1 base score 7.8 (High).
Affected Products – Cisco Catalyst SD‑WAN Manager (all versions prior to the emergency patch released June 2026). The KEV entry also references concurrent Chrome and Arista flaws, but the Cisco issue is the focus for supply‑chain risk.
TPRM Impact – Organizations that rely on Cisco‑managed SD‑WAN services may see unauthorized command execution, data leakage, or service disruption propagated through third‑party network providers. The flaw can be leveraged to pivot into downstream SaaS or on‑premise environments that consume the SD‑WAN overlay.
Recommended Actions –
- Apply Cisco’s emergency patch for CVE‑2026‑20245 immediately.
- Verify that any managed SD‑WAN services have been updated; request proof of remediation from your service provider.
- Conduct a rapid inventory of all Cisco SD‑WAN endpoints and enforce strict network segmentation for management interfaces.
- Enable multi‑factor authentication and enforce least‑privilege access on the manager UI.
- Update incident‑response playbooks to include detection of anomalous SD‑WAN traffic and XSS‑style payloads.
Source: The Hacker News