CVE-2026-20262: Cisco Catalyst SD-WAN Manager

What is CVE-2026-20262?

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does not properly validate user-supplied input during a file upload process. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root. To exploit this vulnerability, the attacker must have valid credentials with at least a lower-privileged, single-task user account.

CVSS6.5 NVD 3.1

SeverityMEDIUM

Exploitation In the wild In CISA KEV

Triage statusActive Exploit

ActionPatch immediately

CVSS vectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWECWE-22

NVD published2026-06-15

NVD last modified2026-06-15

CISA Known Exploited Vulnerability

Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability

Added to KEV2026-06-15

Federal patch deadline2026-06-29

Known ransomware useUnknown

Affected product

Cisco Catalyst SD-WAN Manager

Remediation Steps

Apply the vendor security update from Cisco for Catalyst SD-WAN Manager
Review access logs for evidence of root privilege escalation attempts
Restrict administrative access to SD-WAN Manager to trusted networks only

References

Coverage on defend.network

Vulnerability Priority Report – Week 3 of June 2026 (June 15 – 21)
China espionage dwell 1 year, Microsoft 200 patches, Cisco SD-WAN actively exploited (2026-06-16)

🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.