• Category: Security
  • Status: confirmed
  • Sources: Cisco advisory (sdwan-mltvnps2), CISA KEV alert 2026-06-15, BleepingComputer
  • Summary: Cisco patched CVE-2026-20262, a path-traversal flaw in Catalyst SD-WAN Manager (formerly vManage) exploited as a zero-day. Insufficient validation of user-supplied input during file uploads lets a low-privilege remote attacker run arbitrary commands as root by sending crafted HTTP requests to an affected API endpoint. Cisco PSIRT said it became aware of exploitation earlier this month and published indicators of compromise: check vmanage-server, vmanage-appserver, and serviceproxy-access logs for attempts to upload index.jsp and .war files. The flaw affects all deployment types, including on-prem, SD-WAN Cloud-Pro, Cisco-managed cloud, and the FedRAMP government offering. CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-15 (catalog version 2026.06.15).
  • Why it matters: SD-WAN Manager controls the management plane for an entire SD-WAN fabric, so an authenticated-to-root file-upload exploit gives an attacker control of network policy across every managed edge device.
  • Follow-up: Confirm the fixed releases per branch, watch for public exploit code, and track the federal remediation deadline. This is distinct from the earlier CVE-2026-20245 privilege-escalation flaw already tracked.

Send feedback on this story