Cisco published a new security advisory on 15–16 June for CVE-2026-20262, an arbitrary file write flaw in the Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) web UI that its PSIRT team confirms is being exploited in limited, targeted real-world attacks. The flaw allows an authenticated attacker with write-level access to create or overwrite any file on the underlying operating system via crafted HTTP requests, which can then be leveraged to escalate to root. CISA added it to the KEV catalogue with a federal remediation deadline of 29 June 2026. It is the second Cisco SD-WAN Manager zero-day in two weeks and the sixth exploited CVE on the same platform since February 2026, establishing a systematic attack pattern against the platform that manages up to 6,000 network devices from a single control panel.

What do we know about CVE-2026-20262 and the confirmed active exploitation?

Facts documented by Cisco PSIRT, BleepingComputer, SecurityWeek, Help Net Security, Security Affairs and SOCPrime:

  • Vulnerability: arbitrary file write (path traversal + improper input validation) in the Cisco Catalyst SD-WAN Manager web UI. The affected API endpoint fails to properly validate user-supplied input during file upload operations, allowing an authenticated attacker to send crafted HTTP requests to create or overwrite any file on the underlying OS with the application process permissions.
  • CVSS 6.5 (Medium) with confirmed active exploitation: the official score does not reflect the real impact in corporate deployments. Cisco PSIRT confirmed limited, targeted exploitation in June 2026, indicating a sophisticated actor with specific targets.
  • Exploitation requirement: valid credentials with at least write access. Where low-privilege credentials have been previously compromised, or where write-access users are not well audited, CVE-2026-20262 is the next step to root.
  • Affects all deployment types: on-prem, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed) and Cisco SD-WAN for Government (FedRAMP).
  • Root escalation via malicious files: the documented escalation vector involves uploading malicious .war or .jsp files to system paths executed by the vManage application server. Cisco IOCs include searching for index.jsp and .war files in the vmanage-server, vmanage-appserver and serviceproxy-access logs.
  • Internal discovery with prior exploitation: Cisco states the flaw was found during internal security testing, but PSIRT detected exploitation before public disclosure, implying the threat actor had independent knowledge of the flaw before the advisory.
  • CISA KEV: added this week. Federal agency deadline: 29 June 2026.
  • Patch available: released 15–16 June. Consult Cisco’s official advisory at cisco.com/security/advisories for specific fixed versions per branch.

Why Cisco SD-WAN Manager is a systematic high-value target

CVE-2026-20262 is not an isolated incident. It is the sixth exploited CVE in Cisco Catalyst SD-WAN Manager since February 2026. The 2026 history includes CVE-2026-20133, CVE-2026-20128, CVE-2026-20122, CVE-2026-20127, CVE-2026-20245 and now CVE-2026-20262. The pattern is not coincidental: Catalyst SD-WAN Manager is targeted because it is the management plane for an organisation’s entire SD-WAN infrastructure.

  1. SD-WAN Manager manages up to 6,000 WAN devices from a single panel. Compromising the manager is equivalent to compromising the entire branch network, remote offices and WAN links. An attacker with root on SD-WAN Manager can reconfigure routes, intercept traffic, install persistence on managed devices and pivot to any corporate network segment.
  2. It is the control plane of critical network infrastructure. With root access, an attacker can modify distributed firewall policies, alter the routing of sensitive traffic and disable security controls across the entire SD-WAN device fleet.
  3. Write-access credentials are more widespread than expected. In many organisations, write access to SD-WAN Manager is distributed among multiple network engineers. If any of those credentials have been previously compromised, CVE-2026-20262 turns that limited access into full system control.
  4. Six CVEs in four months signals active threat actor research. The cadence of discovery and exploitation on Cisco SD-WAN indicates sophisticated actors are investing in the platform as an entry vector to corporate network infrastructure.

How the attack works: from file write to root escalation

  1. Initial access with low-privilege credentials. The attacker needs valid write-access credentials on the SD-WAN Manager web UI, obtained via phishing, brute force, credential reuse or unauthorised internal access.
  2. Crafted HTTP request to the vulnerable API endpoint. The attacker sends specially constructed HTTP requests to the file upload API endpoint. The lack of input validation allows path traversal sequences to write files outside the intended directory.
  3. Malicious file written to a server-controlled path. The attacker writes a malicious .war or .jsp file to a filesystem path that the vManage application server executes or deploys automatically. Cisco IOCs specifically flag index.jsp and .war file uploads in compromised deployments.
  4. Root escalation via malicious file execution. When vManage’s application server loads or executes the malicious .war or .jsp file, the embedded code runs with the elevated privileges of the application process, delivering root access to the attacker.
  5. Post-exploitation on the WAN management plane. With root on SD-WAN Manager, the attacker has full access to the configuration database of all managed devices, platform authentication keys and certificates, integration credentials with other systems, and the ability to modify any network configuration, security policy or routing rule across the entire SD-WAN device fleet.

Key lessons and mitigation checklist

Step 1: Apply the patch immediately.

  • Update Cisco Catalyst SD-WAN Manager to the version containing the CVE-2026-20262 fix. Consult Cisco’s official advisory for exact version numbers per branch.
  • The patch applies to all deployment types: on-prem, Cloud-Pro, Cisco Managed and FedRAMP.

Step 2: Check logs for IOCs (mandatory if SD-WAN Manager has been exposed to untrusted networks).

  • Review vmanage-server, vmanage-appserver and serviceproxy-access logs for index.jsp or .war file upload attempts since 1 June.
  • Look for HTTP requests to file upload API endpoints with path traversal sequences (../ in filenames or destination paths).
  • Verify the server filesystem for .war or .jsp files in unexpected paths outside the application’s standard deployment directory.

Step 3: Audit write-access accounts.

  • Review all user accounts in SD-WAN Manager with write permissions. Remove write access that is not strictly necessary for daily operations.
  • Enable MFA on all SD-WAN Manager accounts if not already configured.
  • Rotate credentials for all write-access accounts as a preventive measure.

Step 4: Reduce exposure surface.

  • If SD-WAN Manager is directly internet-facing or accessible from untrusted networks, restrict access to the web UI and API endpoints via ACLs or a dedicated bastion host.
  • Segment the management network (out-of-band management) from data traffic so compromise of one segment does not provide direct access to the management plane.

Cybersecurity as a strategic priority

CVE-2026-20262 is the sixth exploited CVE in Cisco Catalyst SD-WAN Manager since February 2026. The pattern is the same the 2026 DBIR documents across the industry: critical infrastructure management platforms are the priority target of sophisticated threat actors because they offer maximum access leverage with the fewest steps. Compromising the manager is equivalent to compromising everything it manages. For Spanish organisations with Cisco SD-WAN deployments, today’s question is direct: is Catalyst SD-WAN Manager updated to the version that includes the CVE-2026-20262 patch? If the answer is no, the actor that exploited this zero-day before Cisco disclosed it publicly already had an attack window.

Apolo Cybersecurity: Cisco SD-WAN infrastructure assessment and protection

At Apolo Cybersecurity we help organisations with Cisco Catalyst SD-WAN Manager verify exposure to CVE-2026-20262 and the full 2026 exploited CVE history: review of Cisco PSIRT-documented IOC logs, urgent patch application, write-access account auditing and MFA configuration, SD-WAN management plane network segmentation analysis, and risk assessment from the systematic exploitation pattern of the platform.

If your organisation has Cisco Catalyst SD-WAN Manager and you have no confirmation that the CVE-2026-20262 patch is applied, today is the time to verify it.

__wf_reserved_inherit
Prev Post
Next Post

Any questions?
We're happy to help!

CONTACT US TODAY!
info@apolocybersecurity.com
Responsable: Apolo Analytics S.L.
Finalidad: Responder a tu mensaje y almacenaje en base de datos para gestionar tu solicitud.
Legitimación: Consentimiento del interesado al enviar el formulario.
Destinatarios: No se cederán datos a terceros, salvo obligación legal.
Derechos: Puedes ejercer tus derechos de acceso, rectificación y supresión, entre otros, enviando un correo a secretaria@apolocybersecurity.Com.
Información adicional: Puedes consultar la información completa en nuestra Política de Privacidad.

¡Gracias !

Su mensaje a sido recibido correctamente.
Oops! Algo a ido mal a la jora de enviar el formulario.
te esperamos!
Schedule a call
Project photo
Send us an email
Project photo
+34 937948378
Project photo
Carrer 27 del BZ, 10–16, Sector BZ Zona Franca, 08040 Barcelona
Project photo
FAQScontactTERMS AND CONDITIONSWork with Us
Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
LEGAL NOTICEPRIVACY POLICYCookiesinformation security policy
Privacy Settings
Copyright © 2025 Apollo Cybersecurity