Skip to main content
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Arbitrary File Write / Path Traversal in Cisco Catalyst SD-WAN Manager Web UI

IdentifiersCVE-2026-20262CWE-22· Improper Limitation of a Pathname…

CVE-2026-20262 is a vulnerability in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) that allows an authenticated remote attacker to create or overwrite arbitrary files on the underlying filesystem. The issue is caused by insufficient validation of user-supplied input during a file upload process at an affected API endpoint, enabling directory/path traversal-style abuse to write attacker-controlled files outside the intended location. Cisco states that exploitation can be performed with valid credentials, including a low-privileged single-task account, by sending crafted HTTP requests to the vulnerable endpoint. The written file can subsequently be leveraged to escalate privileges to root on the affected system. The vulnerability affects all deployment types regardless of configuration, including on-premises, Cloud-Pro, Cisco-managed cloud, and FedRAMP deployments.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote authenticated attacker to create or overwrite any file on the filesystem of the affected Cisco Catalyst SD-WAN Manager instance. This can be used to plant malicious artifacts such as JSP or WAR files, tamper with application or system files, and ultimately achieve command execution and privilege escalation to root on the underlying operating system. Because SD-WAN Manager is a centralized orchestration platform, compromise can have broader operational and security consequences. The vulnerability has also been reported as actively exploited in the wild.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the SD-WAN Manager web UI and vulnerable API endpoints, especially from the public internet; restrict access to trusted administrative networks; minimize and audit accounts with access to the platform; and closely monitor for indicators of compromise. Cisco specifically advised reviewing vmanage-server, vmanage-appserver, and serviceproxy-access logs for attempts to upload files such as index.jsp, .war files, or the observed rogue suspicious.war artifact, as well as follow-on requests to planted web pages. These measures are compensating controls only and do not replace upgrading to a fixed release.

Remediation

Patch, then assume compromise.

Apply Cisco’s fixed software releases for the affected train. The content indicates the following remediated versions: 20.9.x -> 20.9.9.2, 20.12.x -> 20.12.7.2, 20.15.4.x -> 20.15.4.5, 20.15.5.x -> 20.15.5.3, 20.18.3 -> 20.18.3.1, and 26.1.1.1 -> 26.1.1.2. Cisco strongly advised customers to patch affected systems immediately. If exploitation is suspected, review relevant logs and follow Cisco incident-response guidance, including collecting admin-tech data and engaging TAC as appropriate.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app
security online infoNews
Jun 15, 2026
Cisco SD-WAN Vulnerability Exploited: CVE-2026-20262

An authenticated remote arbitrary file write vulnerability in the web UI of Cisco Catalyst SD-WAN Manager (formerly vManage) caused by improper validation of user-supplied input during file upload, allowing attackers to create or overwrite files and potentially escalate to root.

Read more
bleeping computerNews
Jun 15, 2026
Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks

A Cisco Catalyst SD-WAN Manager vulnerability caused by insufficient validation of user-supplied input during file uploads, allowing an authenticated remote attacker to create or overwrite files and ultimately escalate to root privileges.

Read more
register securityNews
Jun 15, 2026
Cisco SD-WAN make-me-root bug under attack

A Cisco Catalyst SD-WAN Manager web UI vulnerability caused by improper validation of user-supplied input during file upload, allowing an authenticated attacker to create or overwrite files and later elevate privileges to root.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity18

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-20262
NVD
nvd.nist.gov/vuln/detail/CVE-2026-20262
MITRE CWE · CWE-22
Improper Limitation of a Pathname to a…
sec.cloudapps.cisco.com
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ
cisa.gov
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20262