Catalyst SD-WAN Manager actively exploited (CVE-2026-20262)

Actively exploited in the wild - CVE-2026-20262 is a medium file-overwrite vulnerability in Cisco Catalyst SD-WAN Manager that lets authenticated attackers with low privileges create or overwrite any file on the system, escalating to root.

Overview

CVE-2026-20262 affects the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). The vulnerability stems from inadequate input validation during a file upload process. An authenticated, remote attacker with a low-privileged, single-task user account can send a crafted HTTP request to a vulnerable API endpoint, creating or overwriting arbitrary files on the underlying operating system. The attacker can then use this file write to escalate privileges to root, gaining full control of the system. Cisco has not yet released a patch; CISA has added this CVE to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in attacks.

Impact

Successful exploitation compromises the integrity and availability of the affected Catalyst SD-WAN Manager instance. Attackers can plant malicious binaries, modify configuration files, or inject cron jobs directly into the OS filesystem. In an enterprise SD-WAN deployment, this could allow lateral movement into the broader network.

Remediation

No official patch is available as of this writing. Organizations should take the following steps:

• Restrict API access - Limit the vulnerable web UI and API endpoints to trusted management subnets only.
• Apply principle of least privilege - Audit and remove unnecessary single-task user accounts.
• Monitor for anomalous file operations - Configure endpoint detection and response (EDR) or file integrity monitoring (FIM) on the SD-WAN Manager OS.
• Check CISA KEV catalog - Review for any vendor-issued workarounds.

For ongoing threat context, see the Weekly Threat Roundup: Ivanti & Chrome Zero-Days (June 8-14), CISA adds Cisco, Chrome flaws to KEV catalog, and Weekly Threat Roundup: Cisco SD-WAN Zero-Day Under Attack (May 11-17).

Security Insight

This vulnerability underscores a recurring pattern in Cisco’s SD-WAN product line: API-level input validation gaps that grant file-write primitives to low-privilege users. It echoes the 2023 Catalyst SD-WAN Manager arbitrary file-write flaws that were also exploited before patches arrived. The active exploitation of CVE-2026-20262 suggests threat actors are systematically targeting network management planes as a high-value pivot point. Until Cisco ships a fix, defenders must treat the management API as a critical attack surface.

Further Reading

• Weekly Threat Roundup: Ivanti & Chrome Zero-Days (June 8-14)
• CISA adds Cisco, Chrome flaws to KEV catalog
• Weekly Threat Roundup: Cisco SD-WAN Zero-Day Under Attack (May 11-17)
• All Medium Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs