Cisco has released urgent security updates to address a medium-severity vulnerability in its Catalyst SD-WAN Manager platform after confirming that the flaw is being actively exploited in real-world attacks.
The vulnerability, tracked as CVE-2026-20262 with a CVSS score of 6.5, affects multiple versions of Cisco’s SD-WAN management software and could allow authenticated attackers to manipulate or overwrite critical system files under certain conditions.
File Upload Flaw Could Enable System-Level Compromise
According to Cisco’s security advisory, the issue originates from insufficient validation of user input during the file upload process in the platform’s web-based interface. An attacker with valid login credentials and write permissions could send specially crafted HTTP requests to overwrite files anywhere on the underlying operating system.
Security researchers note that this behavior could potentially be leveraged for privilege escalation, including gaining root-level access in compromised environments. However, successful exploitation requires authenticated access, limiting the attack surface to users with existing credentials.
Affected Cisco SD-WAN Products
The vulnerability impacts several Cisco SD-WAN deployments, including:
- Cisco Catalyst SD-WAN Manager (On-Premises)
- Cisco SD-WAN Cloud-Managed Service
- Cisco SD-WAN Cloud (Cisco Managed environments)
- Cisco SD-WAN for Government (FedRAMP environments)
Cisco confirmed that the flaw affects these products across multiple release streams regardless of deployment model.
Security Updates and Fixed Versions Released
Cisco has issued patches across several software branches to mitigate the issue. Administrators are strongly advised to upgrade immediately to the following fixed releases:
- 20.9.9.1 and earlier → fixed in 20.9.9.2
- 20.12.7.1 and earlier → fixed in 20.12.7.2
- 20.15.4.4 and earlier → fixed in 20.15.4.5
- 20.15.5.2 and earlier → fixed in 20.15.5.3
- 20.18.3 → fixed in 20.18.3.1
- 26.1.1.1 and earlier → fixed in 26.1.1.2
Cisco stated that it became aware of limited exploitation attempts in June 2026 during internal security monitoring and testing activities.
Active Exploitation and Indicators of Compromise
Alongside the patches, Cisco has published indicators of compromise (IoCs) to help organizations detect potential breaches. Security teams are advised to inspect SD-WAN Manager logs, particularly:
/var/log/nms/vmanage-server.log
Suspicious activity may include unauthorized upload attempts involving WAR files or abnormal file paths, such as deployments targeting system directories.
Additional logs of interest include:
- Evidence of malicious deployments in application server logs
- Unexpected WAR file activation events
- Unusual HTTP requests interacting with deployed web shells
In observed attack patterns, adversaries deployed files such as “suspicious.war”, followed by execution attempts through web endpoints, suggesting post-exploitation activity.
Exploitation Linked to Broader SD-WAN Attack Campaigns
This latest vulnerability is part of a wider pattern of security issues affecting Cisco SD-WAN systems. CVE-2026-20262 is reportedly the eighth actively exploited SD-WAN-related flaw this year, following several others tracked in 2026.
Security researchers have also linked some previous exploitation activity in the ecosystem to advanced persistent threat (APT) groups, including UAT-8616, known for targeting network infrastructure.
CISA Adds Vulnerability to KEV Catalog
Due to confirmed active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20262 to its Known Exploited Vulnerabilities (KEV) catalog.
Federal Civilian Executive Branch (FCEB) agencies are required to apply the security patches by June 29, 2026, as part of mandatory federal cybersecurity compliance measures.
Security Advisory and Urgent Recommendations
Cisco is urging all customers to:
- Upgrade affected SD-WAN Manager deployments immediately
- Review system logs for suspicious file uploads or deployments
- Restrict administrative access to trusted users only
- Monitor for unusual web application activity or unexpected WAR deployments
While exploitation requires authenticated access, Cisco warns that compromised credentials or insider threats could significantly increase the risk.
