Cisco SD-WAN: handling an actively exploited flaw with no patch (CVE-2026-20245)
What do you do when a vulnerability is being exploited… but no patch is available yet?
👉 That's exactly the situation some network and security teams face with CVE-2026-20245 affecting Cisco Catalyst SD-WAN Manager. Cisco confirmed cases of active exploitation while no fix was available when the advisory was published.
One of the most uncomfortable scenarios for a CISO: you know the vulnerability, you know the risk… but you can't patch yet.
CVE-2026-20245
active exploitation confirmed, no patch at the time of the advisory
affecting Cisco Catalyst SD-WAN Manager — the network control plane potentially impacted
Source: Cisco — security advisory
When the patch doesn't exist yet, waiting is not a strategy. Compensating controls become your first line of defence.
🔍 What you need to understand
It's not only the management server at stake
The vulnerability allows an attacker who already holds high privileges to execute commands as root via a specially crafted file. Cisco observed cases where exploitation led to configuration changes on SD-WAN devices.
« The problem is not only the management server: it is potentially the entire network control plane that can be impacted. »
- →Command execution as root via a malicious file
- →Prerequisite: high privileges already obtained on the system
- →Observed impact: configuration changes on SD-WAN devices
🌐1. Do not expose the management interface to the Internet
👉 Verify that the SD-WAN Manager is not reachable from outside.
- Map the actual exposure
- Close any unnecessary public access
🔒2. Restrict access to administration networks
👉 Limit access to authorised administration networks and hosts only.
- IP filtering / admin bastion
- Network least-privilege principle
👁️3. Strengthen monitoring of administrative connections
👉 Closely watch who connects, from where and when.
- Alerts on unusual admin logins
- Review of privileged sessions
🔎4. Hunt for unusual configuration changes
👉 Detect suspicious changes on SD-WAN devices.
- Comparison against a baseline configuration
- Monitoring of unplanned changes
🔑5. Control privileged accounts and NetAdmin access
👉 Audit high-privilege accounts and their usage.
- Review of NetAdmin accounts
- MFA and secret rotation
📑6. Preserve logs and indicators of compromise
👉 Keep evidence for a potential investigation.
- Log centralisation and retention
- Collection of known IOCs
💬 Where maturity is measured
Patch management is essential — but it is not everything
When no fix exists yet, the difference is made elsewhere. It is often there, in the ability to hold the line without a patch, that an organisation's real maturity is measured.
« Segmentation, access control, visibility and detection capability: that is what makes the difference when the patch is not (yet) there. »
- →Segmentation limits propagation
- →Access control reduces the exploitable surface
- →Visibility and detection enable a fast response
🧠 What about you?
Patch management remains essential. But against an actively exploited flaw with no fix, compensating controls are what protect you:
✔ Don't expose the management plane
✔ Restrict access
✔ Monitor and detect
✔ Preserve evidence
Resilience is not built on the day of the incident — it is prepared beforehand.
Have you ever had to handle an actively exploited vulnerability with no patch available? What was your first mitigation measure?
Need personalised guidance?
NagaShield Security helps you implement these measures concretely, tailored to your organisation and budget.
Request a free diagnostic