Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-20245 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-20245 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-20245 is an improper output encoding and escaping vulnerability in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage), a centralized network management and orchestration platform for Cisco SD-WAN deployments.

Technical Detail

The flaw exists in how Cisco Catalyst SD-WAN Manager handles output encoding or escaping when processing user-supplied files. An authenticated local attacker can supply a crafted file to the system that, due to insufficient escaping, results in arbitrary command execution at the root privilege level. The impact is a full local privilege escalation to root, which on a network management platform of this class can expose configuration data, credentials, and control-plane access across managed SD-WAN infrastructure.

Exploitation Status

CISA has confirmed active exploitation in the wild, with this vulnerability added to the Known Exploited Vulnerabilities catalog on June 9, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliable exploitation exists and is being used in real-world attacks, not merely as a proof-of-concept demonstration. Organizations should treat this as an actively weaponized vulnerability requiring immediate action.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this CVE in available intelligence sources.

What To Do

Apply the relevant Cisco security patch for Catalyst SD-WAN Manager immediately. Per CISA's Known Exploited Vulnerabilities catalog binding directive (BOD 22-01), federal civilian executive branch agencies are required to remediate this vulnerability by the deadline specified in the KEV entry, which was added June 9, 2026. All organizations should treat this as a high-priority patch regardless of the CVSS score, which does not reflect the confirmed active exploitation status. As an interim measure, restrict local access to the SD-WAN Manager system to only authorized administrative accounts, audit recent file upload or import activity on affected systems for signs of misuse, and review root-level process execution logs for anomalous activity. Consult the Cisco Security Advisory for this CVE to confirm affected software versions and obtain patched releases.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →