Cisco has released security updates for a flaw in Catalyst SD-WAN Manager that attackers are already exploiting in the wild.
The company said there is no workaround, making the patch the only fix, and CISA has added the bug to its KEV catalog, giving federal civilian agencies until June 29 to apply it.
Tracked as CVE-2026-20262 and rated medium severity with a CVSS score of 6.5, the vulnerability stems from improper validation of uploaded files in the management software’s web interface.
For context, Catalyst SD-WAN Manager, formerly known as vManage, is the central console used to administer large SD-WAN deployments, in some cases thousands of devices from a single dashboard, which makes it a high-value target.
Authenticated, but a Path to Root
Importantly, the flaw is not exploitable by just anyone on the internet. An attacker needs valid credentials with at least write access on the affected Catalyst SD-WAN Manager instance before they can abuse it.
With that foothold, a crafted request to a vulnerable interface lets them write or overwrite files anywhere on the underlying operating system, which Cisco said could then be used to escalate to root.
Cisco discovered the bug during internal security testing and said its incident response team became aware of limited exploitation in June.
The company has not shared details of the attacks or named who is behind them, but it published Indicators of Compromise (IoC) and urged administrators to review their SD-WAN Manager server logs for signs of suspicious file uploads. The full IoC are available in Cisco’s advisory.
The Latest in a Run of SD-WAN Attacks
The vulnerability is the eighth Cisco SD-WAN flaw flagged as actively exploited this year, underscoring how persistently attackers are probing enterprise network infrastructure.
Some of the earlier exploitation has been attributed by researchers to an advanced persistent threat group tracked as UAT-8616, though Cisco has not linked that activity to this particular flaw.
Organizations running affected versions should upgrade to the fixed releases listed in Cisco’s advisory without delay, since no other mitigation exists and the systems most at risk are those with management interfaces exposed to the internet.
