Threat Advisories

CVE-2026-20262: Actively Exploited Cisco SD-WAN Manager File Write Flaw

5 min read
CVE-2026-20262: Actively Exploited Cisco SD-WAN Manager File Write Flaw

Cisco has patched CVE-2026-20262, an arbitrary file write vulnerability in Catalyst SD-WAN Manager that attackers are already exploiting in the wild. It carries a CVSS 3.1 score of 6.5, but the modest number understates the risk: an authenticated attacker can overwrite files on the underlying system and use that foothold to escalate to root. If you run Catalyst SD-WAN Manager, upgrade to a fixed release right away.

What is CVE-2026-20262?

CVE-2026-20262 is an arbitrary file write vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vManage. It's classed as a path traversal issue (CWE-22). The software doesn't properly validate user-supplied input during a file upload, so an attacker can send a crafted HTTP request to an affected API endpoint and create or overwrite any file on the system. That written file can then be used to elevate privileges to root.

Cisco found the flaw during internal security testing, and its Product Security Incident Response Team (PSIRT) later observed limited exploitation in the wild. You can read the full writeup in the Cisco security advisory for CVE-2026-20262.

This is worth understanding clearly: it's not an unauthenticated remote code execution bug. An attacker needs valid credentials first. But Catalyst SD-WAN Manager is the management plane for an entire SD-WAN fabric, capable of controlling thousands of edge devices from one dashboard. Compromising it has outsized downstream impact, which is why a "medium" file-write flaw deserves same-day attention.

What products and versions are affected?

The vulnerability affects Cisco Catalyst SD-WAN Manager across every deployment type, regardless of device configuration. Per Cisco's advisory, that includes:

  • On-Prem Deployment
  • Cisco SD-WAN Cloud-Pro
  • Cisco SD-WAN Cloud (Cisco Managed)
  • Cisco SD-WAN for Government (FedRAMP)

No deployment model is exempt. If you run Catalyst SD-WAN Manager in any form, assume you're in scope until you've confirmed you're on a fixed release.

How severe is it?

Cisco assigns CVE-2026-20262 a CVSS 3.1 base score of 6.5 (Medium), with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The score reflects a high integrity impact with no confidentiality or availability impact on its own, and it accounts for the fact that exploitation requires authentication.

Here's what an attacker actually needs. They must have valid credentials with at least write access, which Cisco describes as a lower-privileged, single-task user account. From there, they send a crafted HTTP request to a vulnerable API endpoint, write a malicious file, and use it to elevate to root. The authentication requirement is the main thing keeping the base score in medium territory rather than critical. In practice, credentials get phished, reused, or leaked, so treat that barrier as lower than it sounds.

Two factors push the real-world urgency above the 6.5 number. First, this is confirmed active exploitation, not a theoretical proof of concept. Second, the target is your network management plane. A root-level compromise there can expose network topology, alter configurations, and provide a pivot point toward connected edge devices.

CISA agrees on the urgency. It added CVE-2026-20262 to its Known Exploited Vulnerabilities catalog on June 15, 2026, with a remediation due date of June 29, 2026 for federal civilian agencies. A KEV listing this fast is a strong signal to prioritize regardless of whether you're a federal agency.

Are patches available?

Yes. Cisco has released fixed software for every affected branch, and there are no workarounds. Upgrading is the only remediation. Find your release branch below and move to at least the first fixed release.

  • 20.9.9.1 and earlier: fixed in 20.9.9.2
  • 20.12.7.1 and earlier: fixed in 20.12.7.2
  • 20.15.4.4 and earlier: fixed in 20.15.4.5
  • 20.15.5.2 and earlier: fixed in 20.15.5.3
  • 20.18.3: fixed in 20.18.3.1
  • 26.1.1.1 and earlier: fixed in 26.1.1.2

Cisco confirms there are no workarounds for this vulnerability, so don't wait for a mitigation that lets you skip the upgrade. There isn't one. Full details and download guidance are in the Cisco advisory.

What should you do right now?

For internet-exposed Catalyst SD-WAN Manager, treat this as same-day. Here's the order of operations:

  1. Patch immediately. Upgrade to the first fixed release for your branch from the table above. This is the only complete fix.
  2. Hunt for compromise before and after patching. Cisco published specific indicators of compromise. In the vmanage-server.log file (/var/log/nms), look for suspicious WAR file uploads, for example an upload path traversing to .../var/lib/wildfly/standalone/deployments/. In vmanage-appserver.log (/var/log/nms/), look for unexpected .war deployments. In serviceproxy-access.log (/var/log/nms/containers/service-proxy/), look for POST requests to suspicious index.jsp paths. Treat any uploaded index.jsp or unexpected .war file as a strong signal.
  3. Audit credentials and access. Because exploitation needs a valid write-access account, review who holds those accounts, rotate credentials, and confirm you're not exposing the management interface to the internet unnecessarily.
  4. Engage Cisco TAC if you find anything. If the IOCs show up and you're unsure of their origin, run request admin-tech from each control component and open a case with the Cisco Technical Assistance Center for review.

One note on the IOCs: Cisco cautions that some of these log entries can appear during normal operations, so assess them against your baseline to avoid false positives. The clearest signal is an unexpected file upload you can't account for.

How Halo Security can help

The first question during any active-exploitation event is simple: do we even run the affected software, and where? You can't patch what you can't see, and SD-WAN management consoles have a way of being stood up, migrated, or inherited through acquisitions without landing in a central inventory.

Halo Security's technology scanning identifies the specific technologies running across your internet-facing assets, so you can see where Cisco Catalyst SD-WAN Manager is present on your attack surface. That turns "are we exposed?" into a question you can answer in minutes instead of chasing down asset owners during an incident.

FAQ

Is CVE-2026-20262 being actively exploited?

Yes. Cisco's PSIRT confirmed limited exploitation in the wild in June 2026, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on June 15, 2026.

Do I need to patch immediately?

If you run internet-exposed Catalyst SD-WAN Manager, treat this as same-day urgency. There are no workarounds, so upgrading to a fixed release is the only remediation. CISA set a federal remediation deadline of June 29, 2026.

How can I tell if I'm affected?

Check your Catalyst SD-WAN Manager release against Cisco's fixed-release table. All deployment types are affected, including on-prem, Cloud-Pro, Cisco Managed Cloud, and FedRAMP. You can also identify where the software runs across your attack surface using technology scanning.

Does an attacker need credentials to exploit this?

Yes. Exploitation requires valid credentials with at least write access, described as a lower-privileged, single-task user account. That authentication requirement is why the CVSS score sits at 6.5 rather than critical, though leaked or reused credentials lower that barrier in practice.

How do I check whether I've already been compromised?

Audit the log files Cisco identified: vmanage-server.log, vmanage-appserver.log, and serviceproxy-access.log. Look for suspicious WAR file uploads, unexpected .war deployments, and POST requests to suspicious index.jsp paths. If you find indicators, run request admin-tech and open a case with Cisco TAC.

Stay ahead of the next one

Want to see whether Cisco Catalyst SD-WAN Manager, or any other actively exploited software, is running on your attack surface? Halo Security's external vulnerability management makes it easy to find every affected asset across your internet-facing footprint and prioritize the issues attackers are actually using.

New CVEs land daily. Halo Threat Intelligence scores each one's internet-facing exposure with the Surface Signal 1-5 rating so you know what to prioritize.