Cisco confirmed that CVE-2026-20245 (CVSS 7.8), a command-injection flaw in the CLI of Cisco Catalyst SD-WAN Manager, is being actively exploited as a zero-day to run arbitrary commands as root. The bug stems from insufficient validation of user-supplied input and affects all deployment types — On-Prem, SD-WAN Cloud-Pro, Cisco-managed cloud, and FedRAMP. Exploitation requires netadmin privileges, which attackers can obtain by first chaining CVE-2026-20182 or CVE-2026-20127. Mandiant reported the flaw, and Cisco has observed cases where attackers pushed configuration changes to edge devices. No patch exists yet; until one ships, Cisco advises upgrading to the CVE-2026-20182 fix and reviewing `/var/log/scripts.log` for suspicious uploads.