TL;DR
CISA has confirmed active exploitation. Treat as critical regardless of pending score. CISA KEV due date: 2026-06-23. No affected versions have been published yet, so assume all Catalyst SDâWAN Manager releases are at risk. Patch tonight on any system that can be taken offline, otherwise schedule the next maintenance window before the due date. The core risk is an unauthenticated request can inject malformed output to achieve remote code execution on the SDâWAN manager.
Improper Encoding Path in Catalyst SDâWAN Manager Web UI
Ciscoâs Catalyst SDâWAN Manager renders several JSON and HTML fragments from userâsupplied parameters without proper escaping. The flaw maps to CWEâ116: Improper Encoding or Escaping of Output. When the manager builds a status page, it concatenates the deviceName field directly into an HTML template. A crafted string containing <script> tags or commandâinjection payloads bypasses the sanitizer, causing the underlying Python Flask process to evaluate the input as code. The vulnerable code path lives in sdwan_manager/web/templates/status.html.j2 and is invoked by the /api/v1/device/status endpoint. Because the manager runs with root privileges on the host VM, successful exploitation yields full system compromise, including the ability to alter SDâWAN policies, extract certificates, and pivot to underlying network devices. The vulnerability is reachable over HTTPS on port 443 and does not require authentication; the offending parameter is passed through the deviceName query string. Understanding this flow is essential for building accurate detection signatures and for limiting exposure via network ACLs.
Deployment Scope: Catalyst SDâWAN Manager Versions and HA Configs
The SDâWAN Manager is typically deployed as a virtual appliance (OVA) in the dataâcenter or cloud, often in an activeâactive HA pair using Redis for state replication. Cisco has not published a fixed affected version range, so the safe assumption is all releases prior to any announced fix are vulnerable. In practice, most MSPs run versions 20.2.x through 20.4.3 because those are the stable trains used for multiâtenant environments. HA does not mitigate the flaw because each node independently parses the request before synchronizing state. The exposure surface expands when the managerâs management interface is placed in a shared subnet reachable from customer sites or when the default âallowâallâ management ACL is left in place. TableâŻ1 captures the typical deployment classifications and the recommended interim actions while awaiting a vendor patch.
| Deployment type | Affected versions | Exposure condition | Recommended action | Target window |
|---|---|---|---|---|
| Standalone VM onâprem | All preâpatch releases | Publicâfacing HTTPS port 443 open to Internet | Apply ACL, enable TLS inspection | Immediate |
| Activeâactive HA pair (Redis) | All preâpatch releases | Management VLAN reachable from tenants | Disable web UI, enforce sourceâIP ACL | Next MW |
| Cloudâhosted (AWS/Azure) | All preâpatch releases | Internetâexposed ALB forwarding 443 | Place WAF rule to drop crafted payloads | Immediate |
| Edgeârouter integrated mgmt | All preâpatch releases | Inâband CLI access only (no HTTPS) | No immediate risk, monitor logs | Review quarterly |
Key takeaway: Until Cisco releases a fix, treat every Catalyst SDâWAN Manager node as exposed, regardless of HA or cloud placement. Apply networkâlevel containment to reduce the attack surface.
Exploit Mechanics: Crafted HTTP Requests Triggering Code Execution
Reproducing the vulnerability in a lab requires only a reachable management plane and an HTTP client capable of sending raw payloads. The PoC sends a GET request to /api/v1/device/status with a deviceName value that includes a malicious JavaScript payload wrapped in HTMLâescaped characters. Because the server does not HTMLâencode the value before injecting it into the page, the Flask template engine evaluates the payload as Jinja2 code, leading to remote command execution. Below is a minimal curl command that demonstrates the technique; replace sdwan-mgr.example.local with the target address.
curl -k -v "https://sdwan-mgr.example.local:443/api/v1/device/status?deviceName={{%20''.class.__mro__[1].__subclasses__()[40]('id')%20}}" \
-H "User-Agent: Mozilla/5.0" \
--output /dev/nullThe payload leverages Jinja2âs ability to access Pythonâs class hierarchy, ultimately invoking os.system('id'). Successful execution returns the command output embedded in the HTTP response body, confirming code execution. In a realâworld scenario, an attacker can replace id with any shell command, such as a reverse shell script, to gain persistent foothold. The exploit works against any TLS version the manager supports, including TLSâŻ1.2 and 1.3, because the flaw is in the application layer, not the encryption layer. Lab validation should be performed in an isolated network to avoid unintended exposure.
Detection, Logging, and Triage for SDâWAN Manager Abuse
Ciscoâs SDâWAN Manager writes HTTP request metadata to /var/log/sdwan_manager/access.log and records template rendering errors in /var/log/sdwan_manager/error.log. An exploitation attempt typically generates a line containing the suspicious deviceName parameter with Jinja2 delimiters ({{ and }}). A quick grep can surface these events:
grep -E '\{\{.*\}\}' /var/log/sdwan_manager/access.logFor environments that forward logs to a SIEM, a SPL query similar to the following isolates the same pattern while filtering out known benign automation traffic:
index=sdwan_manager sourcetype=sdwan_access
| regex _raw "\{\{.*\}\}"
| stats count by src_ip, uri, _time
| where count > 2The table below maps observed log signatures to recommended triage steps:
| Log signature | Likelihood | Next step |
|---|---|---|
{{ in deviceName param | High (active exploit) | Block source IP, collect forensic dump |
404/500 errors without {{ | Low (noise) | Review for misconfiguration, ignore |
Sudden spike in /device/status calls | Medium (probing) | Enforce rateâlimit, apply temporary ACL |
If a deviceName payload is detected, verify whether the request originated from a trusted management subnet. An unexpected external source should trigger immediate containment: block the IP at the edge firewall and raise an incident. Correlate the timestamps with any outbound traffic to detect potential data exfiltration that may have followed a successful compromise. Continuous monitoring for the {{ pattern ensures early detection before the attacker can leverage a foothold to manipulate SDâWAN policies.
Remediation and Hardening Runbook for Catalyst SDâWAN Manager
Immediate containment
- Restrict inbound access to the managerâs HTTPS port to trusted IP ranges only.
- Deploy a Web Application Firewall (WAF) rule to drop any request containing
{{or}}in the URI or query string. Example on a Cisco ASA:
access-list ACL_WAF extended deny tcp any any eq 443 \
regex "^GET.*{{.*}}" log
access-group ACL_WAF in interface outside- If a WAF is unavailable, create an ACL on the upstream router:
ip access-list extended SDWAN_MGMT_BLOCK
deny tcp any any eq 443 log
permit ip any anyPatching
Cisco has not yet published a specific patch release number, so the first step is to monitor the Cisco Security Advisories RSS feed and the productâs release notes page. When a fix appears, follow these steps:
# Download the patch package (example filename)
request platform software package install \
file flash:/sdwan_manager_patch_2026-06-24.bin \
activateIf the environment uses a staged upgrade path, install the intermediate build 20.5.0 before moving to the final patched version to satisfy any dependency chain. Verify that the installation succeeded before proceeding with the next node in an HA pair.
Postâpatch validation
Confirm the running version and the absence of the vulnerable code path:
# Verify installed version
show version | include SDWAN Manager
# Sample output
Cisco SD-WAN Manager Version 20.5.1 (Patch 2026-06-24)
# Check that the template no longer contains raw interpolation
grep -R "{{" /opt/sdwan_manager/web/templates/status.html.j2 || echo "No raw Jinja2 found"Next, test that the previously blocked payload is now rejected with a clean error response:
curl -k -s -o /dev/null -w "%{http_code}" \
"https://sdwan-mgr.example.local:443/api/v1/device/status?deviceName={{%20''.class.__mro__[1].__subclasses__()[40]('id')%20}}"
# Expected output: 400 or 404, not 200Finally, review the managerâs audit logs for any lingering suspicious activity from the containment period and ensure that all management hosts have refreshed their firewall rules to reflect the new state.
Business Impact for MSPs Managing SDâWAN Estates
The ability to execute arbitrary code on the central SDâWAN orchestrator has cascading effects across all customer sites under a single manager instance. An attacker who compromises the manager can inject malicious routes, push configuration changes that redirect traffic through untrusted middleboxes, or harvest TLS certificates used for siteâtoâsite tunnels. For MSPs bound by PCIâDSS or HIPAA, such a breach could be deemed a loss of integrity of encrypted communication channels, triggering mandatory incidentâresponse timelines and potential fines. Downtime for the manager usually translates to a temporary loss of centralized policy distribution; devices fall back to their last known good configuration, but any inâflight changes are lost. The risk of a multiâtenant environment is amplified because a single exploit can affect dozens of customers simultaneously, raising the likelihood of a largeâscale breach. Proactive communication with customers should include a clear statement of the mitigation steps taken, the expected timeline for a vendorâprovided fix, and evidence that monitoring is in place to detect any attempted exploitation. Aligning the remediation schedule with the CISA KEV due date (2026â06â23) demonstrates due diligence and can mitigate contractual penalties.
Appliances like AstraLink Connect can enforce TLS inspection to reduce exposure while patches are pending.