CVE-2026-20262: CISCO Catalyst SD-WAN Flaw Under Active Targeted Exploitation
June 16, 2026 
Cisco warned that CVE-2026-20262, a Catalyst SD-WAN Manager vulnerability allowing arbitrary file writes, is being actively exploited.
Cisco confirmed active exploitation of CVE-2026-20262, an arbitrary file write vulnerability affecting Catalyst SD-WAN Manager.
CVE-2026-20262 (CVSS score of 6.5) is an arbitrary file write vulnerability in the web interface of Cisco Catalyst SD-WAN Manager. The flaw is caused by improper validation of user-supplied input during file uploads, allowing an authenticated remote attacker to create or overwrite files on the underlying operating system through a crafted HTTP request.
A successful attack could enable further privilege escalation to root. Exploitation requires valid credentials for a low-privileged user account.
“A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.” reads the advisory. “This vulnerability exists because the affected software does not properly validate user-supplied input during a file upload process. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root. To exploit this vulnerability, the attacker must have valid credentials with at least write access.”
Successful exploitation could enable further compromise of affected systems, prompting Cisco to urge customers to apply available fixes.
Cisco PSIRT has observed limited exploitation of the vulnerability since June 2026 and strongly urges customers to upgrade to a patched software version to mitigate the risk.
The company did not disclose technical details about the attacks exploiting the flaw; however, the networking giant mentioned that CVE-2026-20262 has been exploited in limited attacks, suggesting a highly targeted operation by a sophisticated threat actor.
This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the Cisco Catalyst issue to its Known Exploited Vulnerabilities (KEV) catalog ordering federal agencies to fix it by June 29, 2026.
Last week, the U.S. Cybersecurity and Infrastructure Security Agency added another Cisco Catalyst SD-WAN issue, tracked as CVE-2026-20245 (CVSS score v4.0 of 7.1), to its Known Exploited Vulnerabilities (KEV) catalog.
Other vulnerabilities in Cisco SD-WAN discovered this year are CVE-2026-20122, CVE-2026-20127, CVE-2026-20128, CVE-2026-20133, CVE-2022-20775, and CVE-2026-20182.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISCO Catalyst SD-WAN)
Stephan is the sports journalist for the Maple Grove Report.
