CVE-2026-20262

What is Cisco Catalyst SD-WAN Manager?

Cisco Catalyst SD-WAN Manager (formerly vManage) is the centralized management and orchestration plane for Cisco's SD-WAN fabric. It handles policy management, device onboarding, telemetry collection, and configuration push across entire enterprise WAN deployments — often spanning hundreds or thousands of branch routers. Its management web UI runs on an embedded WildFly (JBoss) Java application server. Because SD-WAN Manager has privileged control over an organization's entire WAN fabric, it is a high-value target for state-level actors conducting enterprise network espionage or pre-positioning for destructive attacks.

Overview

CVE-2026-20262 is a path traversal vulnerability (CWE-22) in the Cisco Catalyst SD-WAN Manager web UI's file upload API. An authenticated attacker with low-privileged (write-level) credentials can write arbitrary files to any location on the underlying filesystem. Cisco confirms that a written file "could later be used to elevate to root" — the effective impact is remote code execution with root privileges despite the CVSS 6.5 MEDIUM base score.

This is the eighth Cisco SD-WAN vulnerability added to CISA's KEV catalog in 2026, reflecting sustained, targeted exploitation of Cisco's SD-WAN infrastructure.

Affected Versions

All deployment types are affected: on-premises, SD-WAN Cloud-Pro, Cisco-managed Cloud, and FedRAMP (SD-WAN for Government).

Technical Details

The vulnerability exists in the web UI's file upload API endpoint. The endpoint accepts user-supplied filenames or paths without sufficiently sanitizing directory traversal sequences (../), allowing an attacker to write an uploaded payload to an arbitrary filesystem location outside the intended upload directory.

The escalation path from arbitrary file write to root: an attacker drops a malicious .war (Web ARchive) file into WildFly's auto-deploy directory. WildFly detects and automatically deploys the WAR, executing attacker-controlled code under the application server's process context. From there, privilege escalation to root is achievable via standard techniques — writing to sudoers, cron jobs, SUID binaries, or SSH backdoors.

The CVSS score of 6.5 MEDIUM reflects the base metric of integrity impact only (no confidentiality impact scored), but the practical severity is significantly higher: full system compromise and persistent access to the SD-WAN fabric.

Discovery

Cisco attributes discovery to internal security testing. However, exploits were observed before public disclosure, indicating attackers had access to the vulnerability prior to or concurrent with Cisco's own testing. No external researcher is credited.

Exploitation Context

Active exploitation in targeted attacks was confirmed by Cisco and CISA at time of disclosure on June 15, 2026. Attack patterns are consistent with a highly targeted operation — limited scope with indications of state-sponsored or advanced persistent threat activity. Prior related CVEs exploited in 2026 include CVE-2026-20245 (privilege escalation), CVE-2026-20182 (authentication bypass), and CVE-2026-20133 (information disclosure/file overwrite), suggesting attackers have been systematically working through Cisco SD-WAN Manager's attack surface.

SD-WAN Manager is typically not internet-exposed by design, but misconfigured or cloud-hosted instances are reachable — and the FedRAMP variant being affected indicates U.S. government network infrastructure is in scope. No specific threat group has been publicly attributed and no public proof-of-concept exploit has been released as of June 2026.

Remediation

1. Upgrade immediately to the fixed version for your release train (see table above). Cisco confirmed no configuration workaround exists.
2. Restrict network access: Ensure SD-WAN Manager's web UI (typically port 8443) is not internet-exposed — restrict to management VPN or out-of-band access only.
3. Review logs for exploitation indicators:
   • vmanage-server.log — look for unusual file uploads, especially .war files or paths containing ../
   • vmanage-appserver.log — look for unexpected WAR deployments or new application context activations
   • serviceproxy-access.log — look for unusual access to deployed WAR endpoints
4. Rotate credentials: Revoke and rotate all SD-WAN Manager credentials; audit user accounts for unauthorized write-level accounts.
5. Assume compromise if exploitation is suspected: Treat the vManage host as fully compromised — perform forensic analysis of WildFly's deploy directory, check for new cron jobs, SUID binaries, or SSH backdoors installed under the application server account.