Vulnerability Details
Cisco has released security updates to address a critical vulnerability in its Catalyst SD-WAN Manager, formerly known as SD-WAN vManage. Tracked as CVE-2026-20262, this flaw allows authenticated remote attackers to escalate privileges to root by exploiting insufficient input validation during file uploads. The issue affects all deployment types, including on-premises, cloud managed, and government configurations. Attackers can send crafted HTTP requests to an API endpoint to create or overwrite arbitrary files on the underlying operating system, which can then be used to gain full root access.
Impact and Mitigation
Cisco’s Product Security Incident Response Team confirmed that CVE-2026-20262 has been exploited in the wild since early June 2026. While the company did not disclose details of the attacks, it provided indicators of compromise urging administrators to review logs for suspicious file uploads, particularly index.jsp and .war files. Patched versions are available across all affected release branches, and Cisco strongly recommends immediate application. This is the latest in a string of actively exploited zero-days targeting the SD-WAN Manager platform, including CVE-2026-20133 and CVE-2026-20182, underscoring persistent attacker interest in network management infrastructure.
