CVE-2026-20245 - Cisco Catalyst SD-WAN tenant upload command injection
CVE ID + Title + Severity + Publication Date
- CVE ID: CVE-2026-20245
- Title: Cisco Catalyst SD-WAN tenant upload command injection
- Severity: High (CVSS v3.1 score 7.8)
- Publication date: 2026-06-04
- Affected tech stack: Cisco Catalyst SD-WAN Controller, Manager, and Validator CLI / tenant-list upload workflow
- Revenue tags: sellable_to_fintech, enterprise_blocker, zero_day_gold
One-sentence business risk
An attacker with netadmin access can turn Cisco SD-WAN management-plane access into root shell control, allowing fabric configuration theft, rogue account creation, anti-forensic cleanup, and customer-impacting edge-device changes.
Root cause and affected versions
CVE-2026-20245 is insufficient validation of user-controlled tenant-list upload data in the Cisco Catalyst SD-WAN CLI. The vulnerable tenant-upload workflow accepts a crafted CSV file and passes data into privileged processing, allowing an authenticated local attacker with netadmin privileges to execute commands as root. Mandiant reported in-the-wild exploitation where a malicious evil_tenant.csv upload was used after SD-WAN administrative access had already been obtained.
- Vulnerable range: Cisco Catalyst SD-WAN releases documented by Cisco advisory
cisco-sa-sdwan-privesc-4uxFrdzxbefore the fixed trains. - Fixed or mitigated range: Upgrade to fixed Cisco Catalyst SD-WAN Manager releases
20.9.9.2,20.12.7.2,20.15.4.5,20.15.5.3,20.18.3.1,26.1.1.2, or later. - Public exploit/PoC status: Exploited in the wild as a zero-day. Do not reproduce against production or shared SD-WAN infrastructure.
Exact vulnerable code pattern
# CVE-2026-20245: tenant-list CSV data reaches privileged upload handling.
request tenant-upload tenant-list /home/admin/evil_tenant.csv vpn 0
# Representative vulnerable appliance-side pattern.
csv_path = cli_args["tenant_list"]
tenant_rows = open(csv_path, encoding="utf-8").read()
subprocess.run(f"/usr/share/viptela/apply_tenant_list {tenant_rows}", shell=True, check=True)
Fixed / mitigated code pattern
csv_path = pathlib.Path(cli_args["tenant_list"]).resolve()
allowed_root = pathlib.Path("/home/admin").resolve()
if allowed_root not in csv_path.parents:
raise ValueError("tenant list path outside allowed root")
rows = csv.DictReader(csv_path.open(encoding="utf-8", newline=""))
for row in rows:
tenant = row.get("tenant", "")
vpn = row.get("vpn", "")
if not re.fullmatch(r"[A-Za-z0-9_.-]{1,64}", tenant):
raise ValueError("invalid tenant")
if not re.fullmatch(r"[0-9]{1,6}", vpn):
raise ValueError("invalid vpn")
subprocess.run(
["/usr/share/viptela/apply_tenant_list", "--tenant", tenant, "--vpn", vpn],
shell=False,
check=True,
)
For managed Cisco appliances, the production fix is the Cisco software upgrade, not a customer-side source patch. The code pattern is for reviewers assessing adjacent automation, wrappers, or custom tenant-upload tooling.
Step-by-step integration guide
- Inventory every Cisco Catalyst SD-WAN Controller, Manager, and Validator instance, including on-prem, cloud-hosted, managed cloud, FedRAMP, lab, and break-glass appliances.
- Map each instance to its exact software train and confirm whether it is at or above
20.9.9.2,20.12.7.2,20.15.4.5,20.15.5.3,20.18.3.1,26.1.1.2, or the later fixed release for that train. - Upgrade vulnerable management-plane systems first; then verify edge-device configuration because Cisco observed limited cases where exploitation changed edge-device configuration.
- Remove direct internet exposure from SD-WAN management interfaces, restrict SSH and web access to hardened admin networks, and require MFA and certificate hygiene for netadmin paths.
- Hunt for
request tenant-upload tenant-list, unusual CSV files under/home/admin, account changes toadminorvmanage-admin, rogue users such astroot, and modifications to/etc/passwd,/etc/shadow, or/usr/share/viptela/vbond_vsmart_tenant_list. - Rotate credentials and certificates if unauthorized peering, tenant uploads, or suspicious administrative sessions are found.
- For repositories that manage SD-WAN automation, add tests that reject tenant-list values containing shell metacharacters, absolute paths, path traversal, newlines, or embedded command substitutions.
Alternative mitigations
- Temporarily disable or tightly gate tenant-list upload workflows for non-break-glass admins until fixed software is deployed.
- Restrict CLI/SSH access to SD-WAN management nodes with source IP allowlists, just-in-time admin, session recording, and explicit approval for tenant-upload commands.
- Monitor and block CSV filenames or contents containing shell metacharacters, newline command injection, absolute paths, or writes to
/etc/passwdand/etc/shadow. - Follow Cisco SD-WAN hardening guidance for management, control, and data planes.
- If compromise is suspected, preserve forensic images before cleanup, rebuild affected appliances where integrity cannot be trusted, and verify fabric/device configuration drift.
Detection signature
process.command_line contains "request tenant-upload tenant-list"
OR file.path matches "/home/admin/*.csv" AND file.name contains "tenant"
OR file.path in ("/etc/passwd", "/etc/shadow", "/usr/share/viptela/vbond_vsmart_tenant_list") modified by an SD-WAN admin session
OR user.name in ("troot", "vmanage-admin", "admin") AND event.action in ("password_change", "user_add", "ssh_login")
Repository checks for adjacent automation:
rg -n "tenant-upload|tenant-list|viptela|vmanage|subprocess|shell=True|ProcessBuilder|/etc/passwd|/etc/shadow" .
Copy-paste skill
You are remediating CVE-2026-20245, Cisco Catalyst SD-WAN tenant-upload command injection.
Goal: produce a reviewer-ready PR or operator change plan that removes exposure, upgrades affected Cisco SD-WAN management-plane systems, and adds detection for exploited tenant-upload behavior.
Rules:
- Scope only CVE-2026-20245 and directly related Cisco SD-WAN management-plane automation.
- Do not run exploit CSVs or tenant-upload probes against production, shared staging, customer appliances, or third-party infrastructure.
- Treat SD-WAN configs, certificates, admin credentials, peering data, appliance logs, and forensic artifacts as sensitive.
- If this repository does not own Cisco SD-WAN deployment or automation, write `TRIAGE.md` with checked files, owners, and the handoff target.
Steps:
1. Search the repo for `Cisco SD-WAN`, `vManage`, `viptela`, `tenant-upload`, `tenant-list`, `vpn 0`, `vmanage-admin`, and SD-WAN inventory files.
2. Identify every controlled SD-WAN Manager/Controller/Validator version and compare it to Cisco fixed releases `20.9.9.2`, `20.12.7.2`, `20.15.4.5`, `20.15.5.3`, `20.18.3.1`, `26.1.1.2`, or later.
3. If the repo controls upgrade manifests or runbooks, update them to the fixed release train and include edge-device configuration verification after upgrade.
4. If the repo owns tenant-list automation, remove shell string execution, canonicalize upload paths, parse CSV with strict schemas, and pass arguments as arrays with `shell=False`.
5. Add tests that reject tenant-list filenames and fields containing `;`, `&`, `|`, backticks, `$()`, absolute paths, traversal, or embedded newlines.
6. Add detection for `request tenant-upload tenant-list`, suspicious CSV uploads, rogue `troot` account creation, admin password resets, and writes to `/etc/passwd`, `/etc/shadow`, or `/usr/share/viptela/vbond_vsmart_tenant_list`.
7. Document credential/certificate rotation and forensic preservation steps if logs show unauthorized peering, admin access, tenant upload, or anti-forensic cleanup.
Stop and write `TRIAGE.md` if Cisco SD-WAN is not present, the affected appliances are outside repository ownership, or validation would require unsafe production probing.
Keywords and tags
- Keywords: CVE-2026-20245, Cisco Catalyst SD-WAN, vManage, tenant-upload, command injection, KEV, zero-day
- Revenue tags: sellable_to_fintech, enterprise_blocker, zero_day_gold
References
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20245
- Cisco advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx
- Mandiant/Google Threat Intelligence: https://cloud.google.com/blog/topics/threat-intelligence/zero-day-exploitation-cisco-catalyst-sd-wan-manager
- The Hacker News: https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-zero-day-cve-2026.html
- CISA KEV lookup: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20245