File Upload Vulnerability in Cisco Catalyst SD-WAN Manager
CVE-2026-20262
Key Information:
- Vendor
Cisco
- Vendor
- CVE Published:
- 15 June 2026
Badges
What is CVE-2026-20262?
CVE-2026-20262 is a significant vulnerability found in the web UI of Cisco Catalyst SD-WAN Manager, a solution widely deployed for managing software-defined WANs (SD-WANs). This vulnerability arises from improper validation of user-supplied input during the file upload process. An authenticated remote attacker, with valid credentials for at least a lower-privileged user account, can exploit this weakness to create or overwrite files on the filesystem of an affected system. The implications of this vulnerability could be severe, as it potentially allows an attacker to manipulate critical system files, which could be leveraged for elevated access or to compromise the integrity of the entire system.
Potential impact of CVE-2026-20262
-
Unauthorized File Manipulation: The vulnerability allows attackers to create or overwrite files on the filesystem, which can lead to unauthorized modifications to critical system components or configurations.
-
Escalation of Privileges: By exploiting this vulnerability, attackers can potentially gain higher levels of access within the system, enabling them to execute further malicious activities, including arbitrary code execution.
-
Increased Risk of Data Breach: The ability to modify files on the system can lead to data leaks or corruption, exposing sensitive information and potentially impacting the confidentiality and integrity of organizational data.
CISA has reported CVE-2026-20262
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-20262 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Affected Version(s)
Cisco Catalyst SD-WAN Manager 20.1.12
Cisco Catalyst SD-WAN Manager 19.2.1
Cisco Catalyst SD-WAN Manager 18.4.4
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Week in review: 74k Fortinet firewall credentials stolen, Splunk Enterprise RCE under active attack - Help Net Security
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: A hardware neural network backdoor that hides in plain
2 weeks ago
Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw
Cisco patched CVE-2026-20262 in Catalyst SD-WAN Manager after limited exploitation, with federal fixes due June 29.
3 weeks ago
Cisco SD-WAN make-me-root bug under attack
Second Catalyst SD-WAN Manager flaw exploited as an 0-day this month
3 weeks ago
References
EPSS Score
7% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 📈
Vulnerability started trending
- 💰
Used in Ransomware
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 🦅
CISA Reported
- 📰
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved