Skip to content

Cisco SD-WAN Manager Zero-Day Exploited for Root Access

BleepingComputer · Story 5 of 6

Cisco disclosed and patched CVE-2026-20262 on June 16, 2026, an actively exploited vulnerability in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). The flaw exists because the software does not properly validate user-supplied input during a file upload process, allowing an authenticated remote attacker with write access to create or overwrite any file on the underlying operating system.

While the CVSS score sits at 6.5 (medium severity), the impact is severe: the overwritten file can be leveraged to elevate privileges to root. The vulnerability affects all deployment types — on-premise, cloud-based, and government — making it a broad exposure across enterprise networks worldwide.

Cisco confirmed active exploitation in the wild, and CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to remediate within a strict timeline. The fix is available in updated releases of Catalyst SD-WAN Manager.

This vulnerability matters because SD-WAN is the backbone of distributed enterprise networking. Root compromise of an SD-WAN controller means an attacker can intercept, redirect, or disrupt traffic across an organization's entire wide-area network — a network operator's worst case scenario.

Any organization using Cisco Catalyst SD-WAN Manager should verify they are running the patched version and audit access logs for suspicious file upload activity.

Analysis
Live

Medium CVSS, maximum blast radius. SD-WAN controllers are force multipliers — compromise one and you own the network. MENA enterprises running Cisco SD-WAN should treat this as P0: patch now, audit file upload logs, and review who has write-level access to vManage. The 'authenticated attacker' requirement is a lower bar than it sounds — any compromised credential gets you in.

Frequently Asked Questions
How serious is CVE-2026-20262?

While rated medium (CVSS 6.5), the vulnerability allows authenticated attackers to achieve root on SD-WAN Manager, giving them full control of the network. CISA added it to the Known Exploited Vulnerabilities catalog due to active exploitation.