Decoding the world of cybersecurity

Cisco SD-WAN flaw reaches exploited list

NHS England has warned that Cisco is aware of exploitation of a Catalyst SD-WAN vulnerability that can allow root-level command execution.

Cisco SD-WAN flaw reaches exploited list
Summary
  • NHS England has warned about CVE-2026-20245 in Cisco Catalyst SD-WAN products.
  • Cisco is aware of exploitation, and CISA has added the flaw to its Known Exploited Vulnerabilities catalogue.
  • SD-WAN control infrastructure can become a resilience risk when attackers reach management and configuration layers.

Cisco has released security updates for a Catalyst SD-WAN vulnerability that has been exploited, with NHS England warning organisations to review affected systems, assess compromise, and apply fixed versions.

The NHS England alert covers CVE-2026-20245, a high-severity vulnerability affecting Catalyst SD-WAN Controller, Catalyst SD-WAN Manager, and Catalyst SD-WAN Validator. The products were formerly known as SD-WAN vSmart, vManage, and vBond.

The flaw is caused by insufficient validation of user-supplied input. Successful exploitation could allow an authenticated local attacker to execute arbitrary commands as root by uploading a crafted file to an affected system. NHS England says the attacker must have netadmin privileges, which would require valid credentials or exploitation of earlier SD-WAN vulnerabilities.

Cisco has said it is aware of exploitation of CVE-2026-20245. NHS England also notes that the US Cybersecurity and Infrastructure Security Agency has added the vulnerability to its Known Exploited Vulnerabilities catalogue. The alert says Cisco has observed limited cases where exploitation resulted in a configuration change pushed to edge devices.

The relevant June NHS England alert concerns CVE-2026-20245. Earlier shortlist notes included a different CVE number, but the verified advisory, exploitation status, and affected product family point to CVE-2026-20245.

SD-WAN systems are attractive because they sit close to the control plane of distributed organisations. They shape how sites connect, how traffic is routed, how policy is enforced, and how edge devices receive configuration. A compromised management layer can therefore create consequences far beyond the appliance where exploitation begins.

The vulnerability is not unauthenticated on its own. NHS England links exploitation prerequisites to valid credentials or earlier SD-WAN vulnerabilities. In real intrusions, attackers often chain weaknesses: first gaining access through exposed management paths, stolen credentials, or an older flaw, then using a second vulnerability to deepen control.

The alert’s compromise-assessment guidance is also notable. NHS England encourages organisations to follow Cisco’s indicators of compromise guidance and warns that organisations should complete evidence collection before patching where compromise is suspected, because patching may remove artefacts needed for threat hunting. That is a practical distinction often missed in patch-only messaging.

Edge and network-control devices continue to strain ordinary vulnerability management. They may not be visible to endpoint tools, may sit under network or supplier ownership, and may be exposed by design. Their logs may be short-lived, their update windows constrained, and their administrative interfaces reachable through complex management paths.

UK healthcare, retail, manufacturing, logistics, public services, and financial branch networks all depend on reliable connectivity between sites and central systems. If an attacker can alter configuration, add persistence, or disrupt routing, the incident can affect service continuity rather than only data confidentiality.

Near-term work includes identifying affected deployment types, including on-premises, Cisco hosted, Cisco managed, and government environments. Organisations also need to confirm who has netadmin access, review recent configuration changes, preserve relevant logs, and validate edge device configuration before assuming that patching alone closes the incident.

Network management infrastructure has become part of the enterprise attack surface. When attackers move into the control layer, cyber risk becomes infrastructure risk.

×