The company cautioned that no current patches are available and the flaw could allow an attacker to conduct command injection attacks.

Cisco on Thursday warned of a zero-day vulnerability in its Catalyst SD-WAN product that could allow an attacker to execute arbitrary commands as root.

The vulnerability, tracked as CVE-2026-20245 , is the result of insufficient validation of user-supplied input. The flaw, which has a severity score of 7.8, could allow an attacker to conduct command-injection attacks and elevate privileges as the root user.

The company said it has confirmed a limited number of cases where the flaw was exploited, leading to a configuration change being pushed to edge devices.

Cisco has thus far not released any patches and has no current workarounds.

The vulnerability was disclosed by Mandiant. A spokesperson for Google Threat Intelligence Group, which Mandiant is part of, was not immediately available.

The company cautioned that in order to exploit the flaw, an attacker must have network administrator privileges on an affected system. This can be obtained only through valid credentials or prior exploitation of CVE-2026-20182 , an authentication bypass flaw, or CVE-2026-20127 , a flaw in the SD-WAN peering mechanism.

Cisco is recommending customers upgrade to the software version disclosed in the May 14 advisory, which was linked to the disclosure of CVE-2026-20182. The company said in a statement the move would be considered “a protective measure.”

The company said a patch will be issued for CVE-2026-20245 in a future release date, but officials did not disclose a specific time frame. Customers needing help addressing these steps should contact the Cisco Technical Assistance Center, according to the spokesperson.

The zero-day flaw is being disclosed about three weeks after CVE-2026-20182, which was a critical vulnerability with a severity score of 10 . That vulnerability was immediately added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog.

Cisco Talos researchers linked the exploitation activity for the May threat activity to a threat actor tracked as UAT-8616. The same attacker had been linked to exploitation of CVE-2026-20127.