Cisco has rushed out fixes for yet another vulnerability in its Catalyst SD-WAN Manager software. Attackers already exploit it in the wild to create and overwrite files on the underlying system. Those files then serve as stepping stones to full root access. The flaw carries a medium severity rating. But its presence in production networks handling critical traffic changes the calculation entirely.
The bug tracked as CVE-2026-20262 sits inside the web user interface of Cisco Catalyst SD-WAN Manager, formerly known as vManage. It stems from improper validation of input supplied during file upload operations. An authenticated remote attacker sends a crafted HTTP request to a specific API endpoint. Success lets the attacker create or overwrite arbitrary files on the operating system. “This file could later be used to elevate to root,” Cisco stated in its advisory published Monday.
Exploitation requires valid credentials. At minimum the attacker needs a lower-privileged single-task user account. That barrier sounds reassuring on paper. Yet credentials circulate more freely than many administrators admit. And this marks the latest in a string of SD-WAN bugs that have drawn sustained attention from adversaries throughout 2026.
Limited cases. Real consequences.
Cisco’s Product Security Incident Response Team learned of the limited exploitation in June 2026. The company now strongly recommends immediate upgrades to fixed releases. No workarounds exist. The Register first detailed the active attacks and the fresh patch availability on June 15. (The Register).
CISA moved quickly too. The agency added CVE-2026-20262 to its Known Exploited Vulnerabilities catalog the same day. Federal agencies now face a two-week deadline to apply the updates. That timeline reflects both the bug’s reach and the mounting pattern of SD-WAN compromises.
This incident follows closely on the heels of CVE-2026-20245. Cisco disclosed that high-severity privilege escalation flaw on June 4 after Mandiant reported it from a real intrusion. The bug allowed authenticated local attackers with netadmin rights to run arbitrary commands as root through a crafted file supplied to the command-line interface. “Cisco is not aware of successful exploitation by other methods,” the advisory noted. But it did observe limited cases in which exploitation led to configuration changes pushed out to edge devices. Patches for that issue arrived on June 12. (Cisco Security Advisory).
The sequence reveals a troubling rhythm. Attackers gain an initial foothold. They then chain weaknesses to climb toward root control. Earlier in the year the picture looked even more dire. A critical authentication bypass vulnerability tracked as CVE-2026-20127 earned a perfect 10.0 CVSS score. Exploited in the wild since at least 2023 it let unauthenticated remote attackers obtain administrative privileges on SD-WAN controllers. Adversaries added rogue peers to networks and manipulated configurations via NETCONF. Some chained it with an older CLI privilege escalation bug CVE-2022-20775 by downgrading software versions temporarily then restoring them to hide their tracks. (The Hacker News).
Talos intelligence from Cisco described the tactics in detail. Threat actors compromised public-facing applications then used built-in update mechanisms for the version rollback. They added SSH keys for persistent root access and altered startup scripts. The pattern has repeated across multiple SD-WAN bugs this year. CISA now lists eight such issues in its catalog for 2026 alone. Government partners and private defenders have issued joint warnings urging organizations to inventory systems collect logs and hunt for signs of compromise.
But why does SD-WAN attract this level of focus? The controllers sit at the heart of modern enterprise networks. They orchestrate traffic across hundreds or thousands of edge devices. A single compromised manager can push malicious routing rules or exfiltrate configuration data across entire fabrics. Organizations that expose management interfaces to the internet compound the danger. Cisco’s latest advisory highlights exactly those exposures as primary risk factors. It even supplies specific log entries to watch for in vmanage-server.log vmanage-appserver.log and serviceproxy-access.log. One example shows an anomalous upload of a file named suspicious.war followed by its deployment and subsequent HTTP requests.
Security teams should treat those entries with caution. Some may appear during normal operations. Context matters. Cisco urges administrators who spot suspicious activity to open a support case and provide admin-tech output from control components before attempting any upgrades. That data helps distinguish legitimate anomalies from active intrusion.
The broader picture shows Cisco racing to contain a wave of SD-WAN vulnerabilities. Researchers and incident responders continue to uncover new flaws while attackers move faster than patches can deploy. Bleeping Computer reported on the CVE-2026-20262 fix and noted the vendor’s emphasis on rapid patching. (BleepingComputer). Cybersecurity Dive covered the preceding zero-day warning and the absence of immediate fixes at the time of disclosure. (Cybersecurity Dive).
So what should network operators do today? Audit every SD-WAN manager instance for internet exposure. Prioritize the fixed software versions released this week: 20.9.9.2 20.12.7.2 20.15.5.3 20.18.3.1 and 26.1.1.2 among others. Run the recommended admin-tech collection. Scan logs for the documented indicators. And prepare for the possibility that root access may already sit quietly inside some deployments.
Because the attacks keep coming. And SD-WAN environments no longer enjoy the luxury of assuming their control planes remain untouched. The latest patch closes one door. History suggests others may already stand ajar.
WebProNews is an iEntry Publication