Cisco has issued urgent security updates for a critical vulnerability affecting its Catalyst SD-WAN Manager, a widely used network management platform. This medium-severity flaw, identified as CVE-2026-20262, has been observed under active exploitation in the wild, prompting immediate action from affected organizations and government agencies.
The vulnerability, which carries a CVSS score of 6.5 out of 10.0, allows an authenticated, remote attacker to create or overwrite arbitrary files on the filesystem of an affected Cisco Catalyst SD-WAN Manager system. This could potentially lead to a system compromise, including elevation to root privileges, if a threat actor already possesses valid credentials with write access.
Addressing CVE-2026-20262: A Growing Threat to Cisco SD-WAN Networks
According to Cisco’s advisory, the crux of the issue lies in inadequate validation of user-supplied input during a file upload process within the web user interface. An attacker can exploit this weakness by sending specially crafted HTTP requests to a vulnerable API endpoint. This allows for the manipulation of files on the underlying operating system, a dangerous capability that can be leveraged for significant damage.
The vulnerability impacts several deployments of Cisco’s SD-WAN solutions, irrespective of their deployment model. This includes Cisco Catalyst SD-WAN Manager On-Prem, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). The widespread applicability of the flaw underscores the urgency for organizations utilizing these platforms to patch their systems promptly.
Cisco disclosed that it became aware of “limited exploitation of this vulnerability” in June 2026. The discovery was attributed to internal security testing, highlighting the continuous efforts undertaken to identify and mitigate potential threats before they can be widely weaponized.
Key Software Versions Affected and Patched
Cisco has provided specific patch information for various software releases, indicating the critical need for users to consult their current version and apply the corresponding fix. The affected and patched versions include:
- Cisco Catalyst SD-WAN Release 20.9.9.1 and earlier have been fixed in 20.9.9.2.
- Cisco Catalyst SD-WAN Release 20.12.7.1 and earlier have been fixed in 20.12.7.2.
- Cisco Catalyst SD-WAN Release 20.15.4.4 and earlier have been fixed in 20.15.4.5.
- Cisco Catalyst SD-WAN Release 20.15.5.2 and earlier have been fixed in 20.15.5.3.
- Cisco Catalyst SD-WAN Release 20.18.3 has been fixed in 20.18.3.1.
- Cisco Catalyst SD-WAN Release 26.1.1.1 and earlier have been fixed in 26.1.1.2.
The company has also provided indicators of compromise (IOCs) to assist customers in detecting potential malicious activity. Organizations are advised to audit their “/var/log/nms/vmanage-server.log” for suspicious WAR file uploads, such as the example provided by Cisco: “11-June-2026 03:53:37,310 EDT INFO [a66cdc5f-807d-4c23-944e-5c809a2ece6b] [server] [SdraAnyConnectFileUploadHandler] (default task-40704) |default| uploaded Remote Access Anyconnect profile file: ../../../../var/lib/wildfly/standalone/deployments/suspicious.war to vManage.”
Beyond file uploads, Cisco has warned that other indicators may include attempts to deploy and interact with malicious code, though these may not consistently appear in all incident logs. The potential follow-on activities associated with this vulnerability are a significant concern for network security professionals.
Broader Implications for Network Security
CVE-2026-20262 represents the eighth security flaw discovered in Cisco SD-WAN this year alone that has been flagged as actively exploited. This alarming trend includes previously identified vulnerabilities such as CVE-2026-20245, CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, and CVE-2022-20775. The persistent targeting of Cisco’s SD-WAN infrastructure suggests a concerted effort by sophisticated threat actors.
Notably, the exploitation of some of these vulnerabilities has been linked to an advanced persistent threat (APT) actor identified as UAT-8616. The involvement of APTs signals a level of technical sophistication and strategic intent that elevates the risk for affected organizations.
In response to the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20262 to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion mandates that all Federal Civilian Executive Branch (FCEB) agencies implement the necessary fixes by June 29, 2026. This deadline serves as a critical benchmark for federal agencies and a strong recommendation for all organizations using vulnerable Cisco SD-WAN solutions.
The ongoing exploitation of vulnerabilities within network infrastructure like Cisco Catalyst SD-WAN Manager highlights the continuous cat-and-mouse game between cybersecurity defenders and malicious actors. Organizations must remain vigilant, prioritizing timely patching and robust monitoring to protect their digital assets from evolving threats.