Cisco SD-WAN Manager Vulnerability Exploited in Zero-Day Attacks

Cisco has patched an actively exploited vulnerability in Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vManage, after attackers used it in limited zero-day attacks.

The flaw, tracked as CVE-2026-20262, is an arbitrary file-write vulnerability in the web-based management interface. It allows an authenticated remote attacker to create or overwrite files on an affected system.

The issue carries a CVSS 3.1 score of 6.5, but the real-world risk is higher than the score may suggest. Cisco says a successful exploit could let attackers write files that may later be used to elevate privileges to root.

Cisco Confirms Limited Exploitation

The Cisco security advisory says the company’s Product Security Incident Response Team became aware of limited exploitation in June 2026. Cisco has released fixed software and says there are no workarounds.

The vulnerability exists because Cisco Catalyst SD-WAN Manager does not properly validate user-supplied input during a file upload process. An attacker can exploit the bug by sending a crafted HTTP request to an affected API endpoint.

Cisco said the attacker must have valid credentials with at least write access. That means this is not an unauthenticated remote code execution flaw, but it remains serious because the product manages SD-WAN environments from a central control plane.

Affected Cisco SD-WAN Deployments

The vulnerability affects Cisco Catalyst SD-WAN Manager regardless of device configuration. Cisco lists on-premises deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud, and Cisco SD-WAN for Government as affected deployment types.

The NVD entry classifies the weakness as CWE-22, which covers improper limitation of a pathname to a restricted directory. In simpler terms, the flaw can let an attacker write a file outside the intended location.

The management plane matters because it controls configuration and operations across SD-WAN infrastructure. Cisco notes that the activity does not directly affect the operational state, configuration, or connectivity of the SD-WAN Remote Access feature, but a compromised manager still creates a serious security risk.

Item	Details
CVE	CVE-2026-20262
Product	Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage
Bug type	Arbitrary file write, path traversal
Severity	Medium, CVSS 6.5
Required access	Valid credentials with at least write access
Impact	File creation or overwrite, with possible root privilege escalation

Fixed Versions Are Available

Cisco has released fixes across multiple software trains. The Catalyst SD-WAN Manager advisory says customers should upgrade to the fixed release for their branch because no workaround addresses the vulnerability.

The U.S. Cybersecurity and Infrastructure Security Agency also added the flaw to its Known Exploited Vulnerabilities catalog. That confirms defenders should treat the issue as actively exploited, not just a theoretical risk.

Organizations should identify every Catalyst SD-WAN Manager instance, check the running version, and prioritize systems with internet-exposed management access or broad administrative reach.

Affected release	First fixed release
20.9.9.1 and earlier	20.9.9.2
20.12.7.1 and earlier	20.12.7.2
20.15.4.4 and earlier	20.15.4.5
20.15.5.2 and earlier	20.15.5.3
20.18.3	20.18.3.1
26.1.1.1 and earlier	26.1.1.2

What Admins Should Check in Logs

Cisco provided indicators that can help administrators look for possible exploitation. The most important log sources are vmanage-server.log, vmanage-appserver.log, and serviceproxy-access.log.

Suspicious activity may include uploads of unexpected WAR files, deployment of those files by the application server, and later access to a JSP endpoint inside the deployed application. Public reporting from BleepingComputer also noted that Cisco told admins to check for suspicious index.jsp and .war activity.

These indicators may not prove compromise by themselves because some log entries can occur during standard operations. Cisco says administrators should compare findings against their normal operational posture and contact TAC if the activity is unclear.

• Review /var/log/nms/vmanage-server.log for suspicious WAR uploads.
• Check /var/log/nms/vmanage-appserver.log for unexpected WAR deployment events.
• Inspect serviceproxy-access.log for POST requests to suspicious JSP paths.
• Look for directory traversal patterns in uploaded file paths.
• Check whether exposed management interfaces were reachable from the internet.
• Preserve logs before making major configuration changes if compromise is suspected.

Cisco Recommends Admin-Tech Collection Before TAC Review

The Cisco remediation workflow tells customers to collect admin-tech files from all control components before opening a TAC case. That includes controllers, managers, and validators in the SD-WAN deployment.

Cisco says TAC can review those admin-tech files for indicators of compromise tied to CVE-2026-20262 and another recently disclosed SD-WAN issue, CVE-2026-20245. If indicators appear, Cisco advises customers to follow TAC guidance because upgrading alone may not resolve a confirmed compromise.

The remediation guidance also says the known unauthenticated paths to the needed credentials involve earlier SD-WAN vulnerabilities, including CVE-2026-20182 and CVE-2026-20127. That makes it important to verify older SD-WAN patches as part of the same response.

1. Inventory all Cisco Catalyst SD-WAN Manager deployments.
2. Upgrade affected systems to the appropriate fixed release.
3. Collect admin-tech files from all required SD-WAN control components.
4. Open a Cisco TAC case if suspicious log entries or compromise concerns exist.
5. Review local user accounts and remove anything unexpected.
6. Rotate credentials and secrets stored in device configurations where needed.
7. Restrict management interface exposure and enforce strong access controls.

Why This SD-WAN Flaw Matters

CVE-2026-20262 continues a difficult year for Cisco SD-WAN security. Cisco has disclosed several exploited SD-WAN vulnerabilities in 2026, including issues that could help attackers gain access to control components or escalate privileges.

The risk is not limited to a single appliance. An attacker who compromises the SD-WAN management plane may be positioned to study network configuration, maintain access, or support follow-on activity in a larger enterprise environment.

The CISA KEV listing reinforces that organizations should patch based on real exploitation risk. The BleepingComputer report also noted that this is another exploited SD-WAN flaw disclosed shortly after other Cisco advisories.

For defenders, the response should be direct: patch immediately, check logs, preserve evidence, and verify that earlier SD-WAN vulnerabilities have also been remediated.

FAQ