Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security

Cisco discloses second exploited SD-WAN vulnerability in two weeks (CVE-2026-20262)

Cisco has revealed another Catalyst SD-WAN Manager vulnerability (CVE-2026-20262) that its Product Security Incident Response Team observed being exploited by attackers.

But the associated security advisory also states that “the vulnerability was found during internal security testing”, raising the question of how attackers came to exploit it before Cisco had disclosed it publicly.

The vulnerability (CVE-2026-20262)

Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) is the management plane for the entire Cisco SD-WAN fabric.

CVE-2026-20262 is a path traversal flaw in the solution’s web user interface that can be exploited by sending a crafted HTTP request to an affected API endpoint of the affected system.

“A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root. To exploit this vulnerability, the attacker must have valid credentials with at least write access,” Cisco explained.

Like CVE-2026-20245 before it, CVE-2026-20262 stems from insufficient validation of user-supplied input and affects all Catalyst SD-WAN Manager deployment types: on-prem, Cloud-Pro, Cloud (Cisco Managed), and for Government (FedRAMP).

When Cisco disclosed CVE-2026-20245 nearly two weeks ago, they were still working on patches for it. The company released all of the fixed software versions by June 12.

The list of Cisco Catalyst SD-WAN releases that contain the fix for CVE-2026-20262 is identical to the one of releases that contain the fix for CVE-2026-20245. It’s unclear whether Cisco was simultaneously working on fixes for both, or whether the fix for CVE-2026-20245 also happens to plug the CVE-2026-20262 hole.

Help Net Security has reached out to Cisco with questions about the patches and the circumstances of the vulnerability’s discovery, and we’ll update this article when we hear back.

Indicators of compromise and remediation

Cisco has advised that customers upgrade to a fixed software release.

Those that have Cisco Catalyst SD-WAN Manager systems and ports exposed to the internet can search their log files for specific indicators of compromise (detailed in the advisory).

The indicators of compromise point to attackers abusing CVE-2026-20262 to drop a malicious file with a .war extension, and vManage’s WildFly Java application server deploying it as a Java web application accessible via the web server.

Attackers have been spotted interacting with it by sending commands via POST requests.

Cisco noted that it’s possible that some of these specific log entries might not consistently appear in every incident log, but that their presence “provides insight into what an attacker can do after initial compromise, such as deploy malicious code and interact with it.”

Sustained attacks on Cisco SD-WAN

The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20262 to its Known Exploited Vulnerabilities catalog on Monday, and ordered US federal civilian agencies to address it by June 29, 2026.

The 14-days-long remediation period is consistent with the requirements laid out in CISA’s new Binding Operational Directive, which orders agencies to prioritize security updates based on risk.

Since the beginning of this year, Cisco has released fixes for a handful of Catalyst SD-WAN Manager vulnerabilities that attackers have been exploiting as zero- or n-days:

Whether all of these vulnerabilities have been leveraged by the same threat group remains unknown, but the sustained, methodical focus on the platform suggests a determined adversary with deep familiarity with Cisco’s SD-WAN architecture.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

More about

Featured news

Resources

Don't miss