Cisco Patches Actively Exploited Root Escalation Flaw in SD-WAN Manager
Cisco released fixes for CVE-2026-20262, an actively exploited vulnerability in Cisco Catalyst SD-WAN Manager (vManage) that allows an authenticated remote attacker with low privileges to upload or overwrite files through crafted HTTP requests and ultimately execute commands as root. The flaw stems from insufficient validation of user-supplied input during file uploads in the web UI and affects all deployment models, including on-premises, Cloud-Pro, Cisco-managed cloud, and FedRAMP environments.
Cisco said it became aware of in-the-wild exploitation in June and urged customers to patch immediately, warning that the product’s central role in orchestrating SD-WAN fabrics raises the operational impact of compromise. The company published indicators of compromise tied to uploaded .jsp and .war files, including filenames such as index.jsp and suspicious.war, and advised defenders to inspect vmanage-server, vmanage-appserver, and serviceproxy-access logs, reduce internet exposure, audit accounts, and contact TAC with an admin-tech file if intrusion is suspected.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security issues alert AV26-602
The Canadian Centre for Cyber Security issued alert AV26-602 regarding CVE-2026-20262 in Cisco Catalyst SD-WAN Manager. The alert encouraged users and administrators to review the linked advisories and apply updates when available.
CISA sets June 29 deadline for CVE-2026-20262 remediation
After adding CVE-2026-20262 to the KEV catalog, CISA directed U.S. federal civilian agencies to remediate the Cisco Catalyst SD-WAN Manager flaw by June 29, 2026.
CISA adds CVE-2026-20262 to KEV catalog
CISA added Cisco Catalyst SD-WAN Manager flaw CVE-2026-20262 to its Known Exploited Vulnerabilities catalog after reports of in-the-wild exploitation. The agency ordered federal civilian agencies to remediate the vulnerability within two weeks.
Cisco releases fixes and IOCs for CVE-2026-20262
Cisco released security updates for CVE-2026-20262 and warned customers to patch affected Cisco Catalyst SD-WAN Manager systems immediately. The company also published indicators of compromise, including suspicious uploaded files and related log artifacts defenders should review.
Cisco observes exploitation of CVE-2026-20262 in June 2026
Cisco said its PSIRT became aware earlier in June 2026 that CVE-2026-20262, an arbitrary file write flaw in Cisco Catalyst SD-WAN Manager, was being exploited in the wild. The vulnerability can let an authenticated low-privileged attacker upload or overwrite files and potentially escalate privileges to root.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
18 references tracked. Mallory keeps watching after this page renders.
Cisco патчит уязвимость нулевого дня в SD-WAN - Хакер
xakep.ru
Open sourceCisco security advisory (AV26-602) - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceCisco security advisory (AV26-602) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-20262: Cisco SD-WAN Manager Zero-Day
socprime.com
Open sourceKnown Exploited Vulnerabilities Catalog | CISA
cisa.gov
Open sourceCVE Record: CVE-2026-20262
cve.org
Open sourceCisco fixes SD-WAN vManage flaw exploited in zero-day attacks
bleepingcomputer.com
Open sourceCisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerability
sec.cloudapps.cisco.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco Catalyst SD-WAN Manager Zero-Day Exploited for Root Command Execution
Cisco disclosed active exploitation of **CVE-2026-20245**, a high-severity command injection flaw in **Cisco Catalyst SD-WAN Manager** that lets an authenticated attacker with `netadmin` privileges upload a crafted file and execute arbitrary commands as **root**. The vulnerability affects all deployment models, including on-premises, **Cisco SD-WAN Cloud**, Cloud-Pro, and FedRAMP environments, and Cisco said attackers have already used it in limited incidents to push unauthorized configuration changes to SD-WAN edge devices. Cisco said the flaw stems from insufficient validation and sanitization of user-supplied input in the CLI processing path, and warned that attackers may obtain the required privileges with valid credentials or by chaining previously disclosed bugs such as **CVE-2026-20182** or **CVE-2026-20127**. No dedicated patch or workaround was available at disclosure, so Cisco urged customers to upgrade to software versions that fix earlier exploited issues, review indicators of compromise such as suspicious entries in `/var/log/scripts.log`, preserve forensic evidence, collect diagnostics with the command: ```bash request admin-tech ``` and contact Cisco TAC if compromise is suspected.
Jun 15, 2026
Cisco SD-WAN Authentication Bypass Exploited for Admin Access and Persistence
Cisco disclosed and patched **CVE-2026-20182**, a critical `CVSS 10.0` authentication bypass flaw in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager** that has been exploited in the wild. The bug affects the `vdaemon` control-plane service over **DTLS/UDP 12346** and allows an unauthenticated attacker to impersonate a trusted peer, gain high-privilege administrative access, reach **NETCONF** on `TCP/830`, and manipulate SD-WAN fabric configuration. Rapid7 said the flaw stems from missing authentication checks when a peer claims to be a vHub device, enabling attackers to inject SSH keys for the `vmanage-admin` account and establish persistent access; Cisco said there are **no workarounds** and released fixed software versions for affected on-premises, cloud, managed-cloud, and FedRAMP deployments. Cisco Talos attributed the most sophisticated exploitation of `CVE-2026-20182` with high confidence to **UAT-8616**, which was observed adding SSH keys, modifying NETCONF settings, and escalating privileges to root, with infrastructure overlap noted with Operational Relay Box networks. Talos also reported broader ongoing attacks against SD-WAN environments, including widespread exploitation of previously disclosed **CVE-2026-20133**, **CVE-2026-20128**, and **CVE-2026-20122** after public proof-of-concept release, leading to deployment of JSP webshells such as **XenShell**, **Godzilla**, and **Behinder**, along with tools including Sliver, AdaptixC2, XMRig, gsocket, and credential-stealing scripts. **CISA added CVE-2026-20182 to the KEV catalog** and ordered federal agencies to remediate quickly, while Cisco and national cyber agencies urged organizations to preserve forensic evidence, review logs for unauthorized peering and `vmanage-admin` public-key logins, and patch all vulnerable control components immediately.
Jun 8, 2026
Cisco SD-WAN Manager Command Injection Exploited for Root-Level Device Changes
Cisco disclosed a critical command injection flaw in **Cisco Catalyst SD-WAN Manager** (`CVE-2026-20245`) that is being actively exploited in the wild, allowing an authenticated local attacker with `netadmin` privileges to execute arbitrary commands as `root`. The vulnerability is caused by insufficient validation of file-transfer payloads in the CLI, and Cisco said observed exploitation has already resulted in unauthorized configuration changes being pushed from the manager to edge devices, raising the risk of broader network compromise in affected SD-WAN environments. Cisco also warned the issue could be chained with the previously disclosed authenticated privilege-escalation bug `CVE-2026-20182` to obtain the required access level before triggering command execution. At the time of disclosure, no standard software fix was available; administrators were advised to review logs, inspect `scripts.log` for suspicious activity, and work with Cisco Technical Assistance Center for mitigations and workarounds while assessing whether managed edge infrastructure had been altered.
Jun 5, 2026