Skip to content
hacker_posts

Cisco SD-WAN Manager CVE-2026-20262 exploited, KEV-added

Second Cisco Catalyst SD-WAN Manager zero-day in two weeks. CVE-2026-20262 is an arbitrary file write under exploitation; CISA gave agencies until June 29 to patch.

Published 4 min read
cveciscosd-wankevadvisory

Cisco disclosed CVE-2026-20262 on June 16, 2026 via PSIRT advisory cisco-sa-sdwan-arbfw-c2rZvQ — an arbitrary-file-write flaw in Catalyst SD-WAN Manager's web management interface that lets an authenticated remote attacker with at least write-level access overwrite any file on the underlying operating system and pivot to root. CVSS v3.1 is 6.5 (Medium). PSIRT confirms limited exploitation in the wild. CISA added the CVE to the Known Exploited Vulnerabilities catalog with a federal patch deadline of June 29, 2026.

This is the second exploited Catalyst SD-WAN Manager zero-day Cisco has disclosed in twelve days — see our coverage of CVE-2026-20245 on June 5.

What the bug does

Per the Cisco advisory, the root cause is improper validation of user-supplied input during file-upload operations on a web-UI API endpoint. A crafted HTTP request lets the attacker write or overwrite arbitrary paths on the appliance. Cisco specifically calls out web shells — index.jsp and .war artifacts dropped into application directories — as the observed post-exploitation pattern, which then offers a path to root by hijacking processes that run with elevated privileges.

The access bar is "valid credentials with at least write access" — not unauthenticated, but well below netadmin. As with CVE-2026-20245, this is the kind of bug that turns any leaked or phished low-privilege Manager account into a full appliance takeover.

Affected and fixed releases

The fixed-release matrix mirrors the one Cisco shipped for CVE-2026-20245 — operators who upgraded for that advisory two weeks ago and stayed current are already covered for this one. Per the PSIRT advisory:

  • 20.9.9.1 and earlier → fixed in 20.9.9.2
  • 20.12.7.1 and earlier → fixed in 20.12.7.2
  • 20.15.4.4 and earlier → fixed in 20.15.4.5
  • 20.15.5.2 and earlier → fixed in 20.15.5.3
  • 20.18.3 and earlier → fixed in 20.18.3.1
  • 26.1.1.1 and earlier → fixed in 26.1.1.2

The advisory states no workaround is available. The fix is the upgrade.

Exploitation status

The exploited-in-the-wild call is Cisco's own, in the body of the PSIRT advisory: PSIRT became aware of attempted exploitation during the disclosure cycle and characterises the scope as limited and targeted. CISA's KEV addition on June 16 confirms the exploitation finding independently — KEV listings require validated evidence of real-world use, not vendor-claimed potential.

Reporting at Help Net Security repeats the same Cisco-sourced framing without an independent victim or actor disclosure. No public PoC has been released. No group has claimed responsibility, and Cisco does not attribute the activity.

Detection

Per the advisory, Cisco asks operators to review the SD-WAN Manager vmanage-server, vmanage-appserver and serviceproxy-access logs for upload attempts targeting index.jsp and .war filenames. Any matching entry against a Manager that has not been upgraded should be treated as evidence of attempted or successful exploitation, and the appliance pulled for forensic review.

There is no Snort or Sigma rule shipped with the advisory at this disclosure stage; the log-string indicators above are the only detection guidance Cisco has published, and we are not paraphrasing IOCs upstream did not write down.

Action checklist

  1. Upgrade SD-WAN Manager today to the patched release on your branch — 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2. The CISA KEV deadline for federal agencies is June 29, 2026; everyone else should treat that as the outer bound, not the target.
  2. Grep the Manager logs (vmanage-server, vmanage-appserver, serviceproxy-access) for index.jsp and .war upload artifacts per the PSIRT advisory. Any hit on an unpatched appliance is a compromise hypothesis until proven otherwise.
  3. Capture request admin-tech on every control component before upgrading, archive the bundle, and hold it. Cisco TAC uses the output to validate compromise; you want it as a clean-point baseline.
  4. Rotate any Manager account credential with write privileges, and enforce MFA. The bug requires authentication — a single phished low-privilege account is enough.
  5. Audit edge-device configurations against your last known-good baseline. If a Manager was compromised, edge pushes are the next-hop blast radius.
  6. If you run Cisco-managed SD-WAN cloud, open a TAC case to confirm your tenant has been audited and upgraded; the cloud-deployment population is Cisco's to instrument.

Context

Two exploited Catalyst SD-WAN Manager zero-days in twelve days. The earlier one, CVE-2026-20245, was a command injection requiring netadmin; this one is an arbitrary file write requiring only write access. Cisco itself notes the fixed-release matrices are identical — the same upgrade closes both — but the access prerequisite has dropped from "high-privilege role" to "any account that can upload." The trend Cisco has been tracking across 2026, where SecurityWeek counted seven SD-WAN zero-days through June 5, continues.

The structural reading is the same as two weeks ago and worth repeating: SD-WAN Manager concentrates enough authority that any authenticated bug becomes a network-takeover bug. If you have not yet reclassified Manager as a Tier-0 system in your change-management practice, CVE-2026-20262 is the second prompt in two weeks to do so.

Related stories