Cisco Patches Actively Exploited SD-WAN vManage Zero-Day Flaw
▼ Summary
– Cisco released a patch for CVE-2026-20262, a zero-day vulnerability in Catalyst SD-WAN Manager exploited to gain root privileges.
– The flaw affects all deployment types and is caused by insufficient input validation during file uploads, allowing low-privilege attackers to execute arbitrary commands as root.
– Cisco confirmed the vulnerability was exploited in attacks and advised customers to patch, but did not share attack details, only providing indicators of compromise.
– The company has patched multiple other actively exploited Catalyst SD-WAN Manager flaws in 2026, including CVE-2026-20133, CVE-2026-20128, CVE-2026-20122, and CVE-2026-20245.
– CISA has tagged 91 Cisco vulnerabilities as abused in the wild, including five in Catalyst SD-WAN Manager and six exploited in ransomware attacks.
Cisco has released emergency security patches to address a critical zero-day vulnerability in its Catalyst SD-WAN Manager platform, identified as CVE-2026-20262, which attackers have already exploited in the wild to escalate privileges to root.
Formerly branded as SD-WAN vManage, this centralized network management tool enables administrators to oversee up to 6,000 SD-WAN devices from a single interface. The flaw affects all deployment configurations, including on-premises systems, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and the FedRAMP-certified Cisco SD-WAN for Government.
The root cause of the vulnerability lies in insufficient validation of user-supplied input during file uploads. According to Cisco, an authenticated remote attacker with low-level privileges can exploit this weakness by sending a specially crafted HTTP request to an affected API endpoint. This can allow the attacker to create or overwrite any file on the underlying filesystem, which can then be leveraged to gain root-level access.
“A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system,” Cisco stated in a security advisory published Monday. “A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root.”
Cisco’s Product Security Incident Response Team (PSIRT) confirmed it became aware of active exploitation of CVE-2026-20262 earlier this month and has issued a strong recommendation for customers to apply patches immediately.
The fixed software versions include: 20.9.9.2 (for releases 20.9.9.1 and earlier), 20.12.7.2 (for 20.12.7.1 and earlier), 20.15.4.5 (for 20.15.4.4 and earlier), 20.15.5.3 (for 20.15.5.2 and earlier), 20.18.3.1 (for 20.18.3), and 26.1.1.2 (for 26.1.1.1 and earlier).
Although Cisco did not disclose specific attack details, it shared indicators of compromise (IOCs) to help administrators detect malicious activity. The company urged admins to review logs from vmanage-server, vmanage-appserver, and serviceproxy-access for any attempts to upload index.jsp and .war files.
This is not an isolated incident. In February, Cisco patched another Catalyst SD-WAN Manager flaw (CVE-2026-20133), which was actively exploited in late April. Two weeks later, the company warned of two additional vulnerabilities (CVE-2026-20128 and CVE-2026-20122) also abused in the wild. Last month, Cisco flagged a maximum-severity authentication-bypass flaw (CVE-2026-20182) in the Catalyst SD-WAN Controller, exploited as a zero-day to gain admin privileges on unpatched devices. More recently, in early June, the company warned of yet another unpatched zero-day (CVE-2026-20245) targeting the same platform, allowing attackers to achieve root privileges.
Over the past several years, the Cybersecurity and Infrastructure Security Agency (CISA) has cataloged 91 Cisco vulnerabilities as actively exploited in the wild. Of these, five are linked to the Catalyst SD-WAN Manager, and six others have been leveraged in ransomware attacks.
(Source: BleepingComputer)
