Cisco Discloses Second Exploited SD-WAN Vulnerability (CVE-2026-20262)
Cisco has identified a newly active exploit targeting the Catalyst SD-WAN Manager platform, designated as CVE-2026-20262.
CVE-2026-20262 is a directory traversal issue
The vulnerability affects the Catalyst SD-WAN Manager, a central management component for Cisco’s SD-WAN infrastructure. CVE-2026-20262 is a directory traversal issue within the web interface, allowing attackers to manipulate HTTP requests sent to specific API endpoints. Successful exploitation enables unauthorized file creation or modification on the underlying operating system, potentially leading to root-level access. Attackers require valid credentials with write permissions to execute this attack.
Similar to the previously disclosed CVE-2026-20245, this flaw stems from inadequate input validation and impacts all deployment models of the Catalyst SD-WAN Manager, including on-premises, Cloud-Pro, Cisco-managed Cloud, and FedRAMP-compliant government configurations. Cisco addressed CVE-2026-20245 with patches released on June 12, 2026, and the same software versions include fixes for CVE-2026-20262. The company has not clarified whether the patches were developed concurrently or if the resolution for the earlier vulnerability inadvertently addressed this one.
Indicators of compromise and mitigation measures
Cisco recommends immediate upgrades to patched software versions. Organizations with internet-facing Catalyst SD-WAN Manager systems are advised to review log files for signs of exploitation. The advisory highlights specific artifacts, including the deployment of malicious files with .war extensions, which are processed by the WildFly Java application server integrated into vManage. Attackers interact with these files through POST requests, enabling remote code execution.
While some log entries may vary across incidents, their presence indicates potential post-exploitation activity, such as deploying additional malicious payloads. CISA has classified CVE-2026-20262 as a known exploited vulnerability, requiring U.S. federal civilian agencies to resolve it by June 29, 2026, under its Binding Operational Directive.
Ongoing threats to Cisco SD-WAN infrastructure
This latest disclosure follows multiple active exploits targeting the Catalyst SD-WAN Manager this year. Vulnerabilities include CVE-2026-20245 (privilege escalation), CVE-2026-20182 (authentication bypass), CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 (file overwrite and information disclosure), as well as CVE-2026-20127 (another authentication flaw). Although the specific threat actor group remains unidentified, the consistent targeting of SD-WAN components suggests a sophisticated adversary with deep knowledge of Cisco’s architecture.
About Author
English