Cisco has released security updates to address a vulnerability in the Catalyst SD-WAN Manager, tracked as CVE-2026-20262, that was exploited in attacks to escalate to root privileges.
Formerly known as SD-WAN vManage, this network management software allows admins to manage up to 6,000 SD-WAN devices from a single dashboard.
The now-patched zero-day security flaw affects all deployment types, regardless of device configuration, including on-prem deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).
Cisco said the issue stems from insufficient validation of user-supplied input during file uploads, which can allow low-privilege remote attackers to execute arbitrary commands as root by sending crafted HTTP requests to an affected API endpoint.
“A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system,” Cisco said in a Monday advisory.
“An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root.”
Cisco said its Product Security Incident Response Team (PSIRT) became aware of the exploitation of CVE-2026-20262 earlier this month and “strongly” advised customers to patch their systems.
| Cisco Catalyst SD-WAN Release | First Fixed Release |
|---|---|
| 20.9.9.1 and earlier | 20.9.9.2 |
| 20.12.7.1 and earlier | 20.12.7.2 |
| 20.15.4.4 and earlier | 20.15.4.5 |
| 20.15.5.2 and earlier | 20.15.5.3 |
| 20.18.3 | 20.18.3.1 |
| 26.1.1.1 and earlier | 26.1.1.2 |
While the company did not share any details on these attacks, it shared indicators of compromise (IOCs) warning admins to check their SD-WAN vmanage-server, vmanage-appserver, and serviceproxy-access logs for attempts to upload index.jsp and .war files.
In February, Cisco patched another Catalyst SD-WAN Manager information disclosure security flaw (CVE-2026-20133), flagged as actively exploited in late April, and, two weeks later, warned of two more flaws (CVE-2026-20128 and CVE-2026-20122)that were abused in the wild.
Last month, it also tagged a maximum-severity Catalyst SD-WAN Controller authentication-bypass flaw (CVE-2026-20182) as actively exploited as a zero-day to gain admin privileges on unpatched devices.
More recently, in early June, Cisco warned of one more unpatched Catalyst SD-WAN Manager zero-day (CVE-2026-20245) that was exploited in attacks, allowing attackers to gain root privileges.
Over the last several years, the Cybersecurity and Infrastructure Security Agency (CISA) tagged 91 Cisco vulnerabilities as abused in the wild, five of them in Cisco Catalyst SD-WAN Manager and six others exploited in ransomware attacks.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
