Cisco has confirmed active exploitation of CVE-2026-20262, a file upload vulnerability in Catalyst SD-WAN Manager (formerly vManage) that allows an authenticated attacker to overwrite arbitrary files on the underlying operating system and escalate privileges to root. CISA added the flaw to its Known Exploited Vulnerabilities catalogue on 16 June 2026, obligating US federal civilian executive branch agencies to remediate by the published deadline.
Vulnerability Details
CVE-2026-20262 exists in the web-based management interface of Cisco Catalyst SD-WAN Manager. A flaw in how the application validates uploaded files allows an authenticated user — one holding as little as network-operator role privileges — to upload a crafted file that is written to a path outside the intended upload directory.
By controlling the destination path of the overwritten file, an attacker can replace sensitive system files, including those referenced during service startup and scheduled tasks, to execute arbitrary commands with root privileges. The vulnerability does not require the attacker to be in the default administrator group; network-operator is a standard operational role assigned to NOC personnel and SD-WAN management staff.
The CVSS base score is 6.5 (Medium) based on the authenticated requirement and local impact; however, in operational context — where SD-WAN Manager accounts are distributed to multiple operational teams and where management plane compromise has direct impact on edge device configuration — the exploitability is considerably higher than the base score suggests. Active in-the-wild exploitation confirms this assessment.
Affected Versions and Patch
The following Cisco Catalyst SD-WAN Manager releases are affected:
| Release | Fix |
|---|---|
| 20.3 and earlier | Migrate to 20.9 or later |
| 20.6 through 20.6.x | Fixed in 20.6.5 |
| 20.9 through 20.9.x | Fixed in 20.9.4 |
| 20.12 and later | Fixed in 20.12.1 |
There is no workaround that adequately mitigates the risk without applying the patch. Cisco recommends verifying that SD-WAN Manager’s management interface is not exposed to untrusted networks as an additional control, but this does not eliminate the risk from insider threats or compromised internal accounts.
Exploitation Context
Threat intelligence from Cisco Talos indicates exploitation is occurring in enterprise environments where SD-WAN Manager is accessible from corporate networks without management plane segmentation. The most likely abuse scenario is lateral movement: an attacker who has compromised an operational account — through phishing, credential theft from a prior breach, or abuse of a shared credential — escalates to root on the SD-WAN Manager appliance and pivots to manipulate SD-WAN edge device configurations, intercept network traffic, or disable security policies across the SD-WAN fabric.
Root access to SD-WAN Manager is equivalent to administrative control of the entire SD-WAN deployment, including the ability to alter routing, access control lists, and encrypted tunnel parameters on remote edge devices without needing to access those devices directly.
Recommended Actions
- Apply the patch immediately — prioritise systems where SD-WAN Manager is accessible from the corporate network or where multiple users share network-operator credentials.
- Audit user accounts and roles — review all accounts with network-operator and higher privileges on Catalyst SD-WAN Manager; disable dormant accounts and revoke any credentials shared across users.
- Review management plane access controls — confirm that SD-WAN Manager is accessible only from hardened jump hosts or dedicated management VLANs, not directly from end-user networks.
- Check audit logs — review SD-WAN Manager web UI access logs and file upload events for anomalous activity since May 2026, the earliest period for which exploitation has been observed.
- Federal agencies: CISA’s KEV deadline applies; check the catalogue for the specific remediation date and ensure the patch is applied and documented within the required window.
Share this article