Cisco Catalyst SD-WAN Manager is vulnerable to a critical command injection flaw that is currently being actively exploited in the wild.

This is a command injection and privilege escalation vulnerability in the CLI of Cisco Catalyst SD-WAN Manager. While exploitation requires an attacker to possess netadmin privileges—which can be obtained through valid credentials or by chaining other vulnerabilities like CVE-2026-20182 or CVE-2026-20127—the flaw allows for unauthorized configuration changes to be pushed to edge devices.

The CVSS score of 9.5 reflects the extreme severity of this vulnerability. Successful exploitation permits attackers to manipulate network configurations, potentially leading to widespread network disruption, man-in-the-middle attacks, or complete compromise of the SD-WAN infrastructure. The active exploitation observed in the wild significantly elevates the urgency of this advisory.

Immediate Action: Review the Cisco security advisory (cisco-sa-sdwan-rpa2-v69WY2SW) and apply all recommended mitigations immediately.

Proactive Monitoring: Monitor CLI logs for unauthorized command execution and audit configuration change logs for any unexpected modifications to edge devices.

Compensating Controls: Restrict administrative access to the SD-WAN Manager CLI to only essential personnel and enforce strict multi-factor authentication (MFA) to mitigate the risk of credential-based access.

Public Exploit Available: No

Given the critical severity and confirmed active exploitation, organizations must prioritize the remediation of this vulnerability. Administrators should consult the vendor advisory immediately to implement the necessary mitigations and ensure that administrative access is strictly controlled to prevent the initial compromise required for exploitation.