Skip to content
Tech News
← Back to articles

Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks

2026-06-15 | original
read original get Cisco SD-WAN Security Kit → more articles
Why This Matters

The recent security update from Cisco addresses a critical zero-day vulnerability in its SD-WAN vManage software that was actively exploited in attacks. This flaw highlights the ongoing risks associated with network management tools and underscores the importance of timely patching to prevent potential root-level compromises. For consumers and organizations relying on Cisco's SD-WAN solutions, staying updated is crucial to maintaining network security and integrity.

Key Takeaways

Cisco has released security updates to address a vulnerability in the Catalyst SD-WAN Manager, tracked as CVE-2026-20262, that was exploited in attacks to escalate to root privileges.

Formerly known as SD-WAN vManage, this network management software allows admins to manage up to 6,000 SD-WAN devices from a single dashboard.

The now-patched zero-day security flaw affects all deployment types, regardless of device configuration, including on-prem deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).

Cisco said the issue stems from insufficient validation of user-supplied input during file uploads, which can allow low-privilege remote attackers to execute arbitrary commands as root by sending crafted HTTP requests to an affected API endpoint.

"A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system," Cisco said in a Monday advisory.

"An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root."

Cisco said its Product Security Incident Response Team (PSIRT) became aware of the exploitation of CVE-2026-20262 earlier this month and "strongly" advised customers to patch their systems.

Cisco Catalyst SD-WAN Release First Fixed Release 20.9.9.1 and earlier 20.9.9.2 20.12.7.1 and earlier 20.12.7.2 20.15.4.4 and earlier 20.15.4.5 20.15.5.2 and earlier 20.15.5.3 20.18.3 20.18.3.1 26.1.1.1 and earlier 26.1.1.2

While the company did not share any details on these attacks, it shared indicators of compromise (IOCs) warning admins to check their SD-WAN vmanage-server, vmanage-appserver, and serviceproxy-access logs for attempts to upload index.jsp and .war files.

In February, Cisco patched another Catalyst SD-WAN Manager information disclosure security flaw (CVE-2026-20133), flagged as actively exploited in late April, and, two weeks later, warned of two more flaws (CVE-2026-20128 and CVE-2026-20122)that were abused in the wild.

... continue reading

Explore topics: cisco sd-wan vmanage catalyst cve-2026-20262
Related:
How Author Dave Eggers Avoids Smartphones, Internet Access, and Flock Cameras
Chinese hackers hijack auth flow, spy on isolated network for a decade
From commodity to cultural catalyst: Fruit’s reinvention
The Untold Story of the Google Buses That Took Over San Francisco
Nvidia Takes the Top Spot in the 2026 List of Best Companies for the Future

© 2026 GoKawiil

About | Editorial Policy | Contact