File Upload Vulnerability in Cisco Catalyst SD-WAN Manager
CVE-2026-20262

6.5MEDIUM

Key Information:

Vendor

Cisco

Vendor
CVE Published:
15 June 2026

Badges

📈 Trended📈 Score: 2,760💰 Ransomware👾 Exploit Exists🟡 Public PoC🦅 CISA Reported📰 News Worthy

What is CVE-2026-20262?

CVE-2026-20262 is a significant vulnerability found in the web UI of Cisco Catalyst SD-WAN Manager, a solution widely deployed for managing software-defined WANs (SD-WANs). This vulnerability arises from improper validation of user-supplied input during the file upload process. An authenticated remote attacker, with valid credentials for at least a lower-privileged user account, can exploit this weakness to create or overwrite files on the filesystem of an affected system. The implications of this vulnerability could be severe, as it potentially allows an attacker to manipulate critical system files, which could be leveraged for elevated access or to compromise the integrity of the entire system.

Potential impact of CVE-2026-20262

  1. Unauthorized File Manipulation: The vulnerability allows attackers to create or overwrite files on the filesystem, which can lead to unauthorized modifications to critical system components or configurations.

  2. Escalation of Privileges: By exploiting this vulnerability, attackers can potentially gain higher levels of access within the system, enabling them to execute further malicious activities, including arbitrary code execution.

  3. Increased Risk of Data Breach: The ability to modify files on the system can lead to data leaks or corruption, exposing sensitive information and potentially impacting the confidentiality and integrity of organizational data.

CISA has reported CVE-2026-20262

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-20262 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Affected Version(s)

Cisco Catalyst SD-WAN Manager 20.1.12

Cisco Catalyst SD-WAN Manager 19.2.1

Cisco Catalyst SD-WAN Manager 18.4.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

Week in review: 74k Fortinet firewall credentials stolen, Splunk Enterprise RCE under active attack - Help Net Security

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: A hardware neural network backdoor that hides in plain

2 weeks ago

Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw

Cisco patched CVE-2026-20262 in Catalyst SD-WAN Manager after limited exploitation, with federal fixes due June 29.

3 weeks ago

Cisco SD-WAN make-me-root bug under attack

Second Catalyst SD-WAN Manager flaw exploited as an 0-day this month

3 weeks ago

References

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📈

    Vulnerability started trending

  • 💰

    Used in Ransomware

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 🦅

    CISA Reported

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

.