Secure Cyber Vulnerability Management

17/06/2026
Qualys-Threat-Protect

CISA Warns of Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerability (CVE-2026-20262)

by Deepanshu Jha

CISA has warned U.S. government agencies about an actively exploited vulnerability in Cisco Catalyst SD-WAN Manager. Tracked as CVE-2026-20262, successful exploitation of this vulnerability could allow an authenticated, remote attacker to create or overwrite any file on the affected system’s filesystem.

CISA has urged users to patch the vulnerability before June 29, 2026.

Cisco Catalyst SD-WAN Manager is a centralized network management system (NMS) that provides a single pane of glass for configuring, monitoring, and troubleshooting an entire SD-WAN fabric. It serves as the orchestration and management plane of the Cisco Catalyst SD-WAN architecture.

Vulnerability Details

The vulnerability exists in the web UI of Cisco Catalyst SD-WAN Manager because the software does not properly validate user-supplied input during file upload. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system.

Successful exploitation of the vulnerability could allow an attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root. To exploit this vulnerability, the attacker must have valid credentials with at least write access.

Affected and Patched Versions

This vulnerability affects all Cisco Catalyst SD-WAN Manager, regardless of device configuration.

The vulnerability affects all deployment types, including:

  • On-Prem Deployment
  • Cisco SD-WAN Cloud-Pro
  • Cisco SD-WAN Cloud (Cisco Managed)
  • Cisco SD-WAN for Government (FedRAMP)

The following are the affected and patched versions:

Cisco Catalyst SD-WAN Release Fixed Release
20.9.9.1 and earlier 20.9.9.2
20.12.7.1 and earlier 20.12.7.2
20.15.4.4 and earlier 20.15.4.5
20.15.5.2 and earlier 20.15.5.3
20.18.3 20.18.3.1
26.1.1.1 and earlier 26.1.1.2

Customers can refer to the Cisco Security Advisory (cisco-sa-sdwan-arbfw-c2rZvQ) for information about the vulnerability.

Qualys Detection

Qualys customers can scan their devices with QID 317858 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx

Comments are closed.

You may also like