CVE-2026-20262: Cisco Catalyst SD-WAN Manager Zero-Day Leads to Root

CVE-2026-20262 is a zero-day vulnerability in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) that lets an authenticated attacker with low privileges (at least write access) write files to unintended locations on the server.

The flaw sits in the web UI / API file upload flow, where insufficient validation allows a crafted request to create or overwrite arbitrary files on the underlying filesystem. Cisco has observed limited in-the-wild exploitation, and the issue is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog with a remediation due date of June 29, 2026. This post breaks down what’s vulnerable, what exploitation looks like, and what defenders should do now.

What Is CVE-2026-20262?

CVE-2026-20262 (CVSS 6.5) is an arbitrary file write issue in Cisco Catalyst SD-WAN Manager. Cisco attributes it to insufficient validation of user-supplied input during a file upload process, consistent with path traversal style weaknesses (CWE-22).

To exploit the bug, an attacker can manipulate upload-related input so the system writes a file outside the intended directory. Because SD-WAN Manager runs critical services, a successful file write can be a stepping stone to deeper compromise.

Which Cisco SD-WAN Manager Versions Are Affected?

Cisco’s guidance is to upgrade to a “first fixed release” based on your current branch. The following upgrade paths are called out:

• 20.9.9.1 and earlier → 20.9.9.2
• 20.12.7.1 and earlier → 20.12.7.2
• 20.15.4.4 and earlier → 20.15.4.5
• 20.15.5.2 and earlier → 20.15.5.3
• 20.18.3 → 20.18.3.1
• 26.1.1.1 and earlier → 26.1.1.2

Cisco indicates there is no workaround that fully addresses the risk without upgrading.

Is CVE-2026-20262 Being Exploited in the Wild?

Yes. Cisco reports limited exploitation observed in June 2026. Furthermore, CISA has officially included this vulnerability in the Known Exploited Vulnerabilities (KEV) catalog, mandating a remediation deadline of June 29, 2026.

Even without public details on attacker tooling or victim profiles, KEV status changes prioritization. It signals that defenders should assume attackers can operationalize the technique quickly, especially in environments where SD-WAN Manager is internet-exposed or where credentials could be obtained through other means.

How Does Exploitation Work for This Arbitrary File Write?

Exploitation requires an attacker to be authenticated and to have at least write access, which Cisco characterizes as low privilege in this context. From there, the attacker sends a crafted HTTP request to an affected API endpoint involved in file uploads.

Because the upload flow does not sufficiently validate user-controlled path input, the attacker can:

• Create a new file in an arbitrary filesystem location, or
• Overwrite an existing file that the SD-WAN Manager host can write to

Cisco’s advisory notes that the written or overwritten file “could later be used to elevate to root.” The file write is the initial primitive, and attackers can use it to place server-side artifacts (such as WAR/JSP) that enable follow-on execution paths.

Why Can a “Medium” CVSS Still Be a High-Priority Fix?

Cisco’s CNA score is CVSS 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. That score reflects that exploitation requires credentials and that the direct impact is integrity-focused.

Many teams will still treat this as urgent because:

• The vulnerable component is a management plane product.
• The flaw can be used to plant server-side code (as suggested by Cisco’s own IOC examples), which can turn a “file write” into potential privilege escalation to root.
• The issue is reachable over the network and triggered via HTTP requests, which increases exposure risk when management interfaces are accessible.

With CVE-2026-20262 already in CISA KEV and Cisco confirming in-the-wild exploitation, the patch window is narrow. SOCRadar Cyber Threat Intelligence helps security teams track zero-day disclosures, exploitation developments, and patch intelligence as threats evolve. Combined with Attack Surface Management (ASM), it also helps identify exposed internet-facing assets that may increase urgency, supporting faster and more effective remediation.

What Should Defenders Do Now?

Patch first, using Cisco’s fixed releases

Prioritize upgrades to the relevant fixed version in your branch:

• 20.9.x → 20.9.9.2
• 20.12.x → 20.12.7.2
• 20.15.x → 20.15.4.5 or 20.15.5.3
• 20.18.x → 20.18.3.1
• 26.1.x → 26.1.1.2

If SD-WAN Manager is reachable from the internet, treat patching as time-sensitive. Cisco warns that internet-exposed SD-WAN Manager systems with ports exposed are at higher risk of compromise.

Hunt for signs of abuse in Cisco’s suggested log locations

Cisco provides concrete detection leads that map to a common exploitation chain: write a WAR via traversal, deploy it via WildFly, then interact with a JSP.

Focus on these logs and patterns:

• /var/log/nms/vmanage-server.log
  Look for suspicious upload paths that include traversal-like sequences and WAR placement, such as attempts to write into WildFly deployments (example pattern includes paths like ../../../../var/lib/wildfly/standalone/deployments/*.war).
• /var/log/nms/vmanage-appserver.log
  Watch for WildFly deployment events that indicate a new WAR was deployed (example message pattern: Deployed “suspicious.war”).
• /var/log/nms/containers/service-proxy/serviceproxy-access.log
  Look for HTTP requests to unexpected JSP paths after upload, such as POST /<name>/index.jsp.

These checks can produce false positives, so confirm suspicious entries by correlating timestamps, user accounts, source IPs, and any unexpected administrative actions.

Preserve evidence before remediation if you suspect compromise

If you suspect exploitation, capture relevant diagnostics before making major changes. Cisco recommends collecting admin-tech from control components (for example via request admin-tech) and then engaging support for incident guidance.