Skip to content

Cisco Patches Critical SD-WAN vManage Flaw Exploited in Zero-Day Attacks

Cisco has released security updates to address a critical vulnerability in the Catalyst SD-WAN Manager, formerly known as SD-WAN vManage. The flaw, tracked as CVE-2026-20262, was exploited in attacks to escalate to root privileges.

The SD-WAN vManage is a network management software that allows administrators to manage up to 6,000 SD-WAN devices from a single dashboard. The vulnerability affects all deployment types, including on-prem deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).

According to Cisco, the issue stems from insufficient validation of user-supplied input during file uploads. This allows low-privilege remote attackers to execute arbitrary commands as root by sending crafted HTTP requests to an affected API endpoint.

“A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system,” Cisco said in a Monday advisory. “An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root.”

Cisco’s Product Security Incident Response Team (PSIRT) became aware of the exploitation of CVE-2026-20262 earlier this month and “strongly” advised customers to patch their systems.

The company shared indicators of compromise (IOCs) warning administrators to check their SD-WAN vmanage-server, vmanage-appserver, and serviceproxy-access logs for attempts to upload index.jsp and .war files. This is not the first time Cisco has patched a Catalyst SD-WAN Manager vulnerability this year. In February, it fixed an information disclosure security flaw (CVE-2026-20133), flagged as actively exploited in late April.

Cisco also warned of two more flaws (CVE-2026-20128 and CVE-2026-20122) that were abused in the wild two weeks later. Last month, it tagged a maximum-severity Catalyst SD-WAN Controller authentication-bypass flaw (CVE-2026-20182) as actively exploited as a zero-day to gain admin privileges on unpatched devices.

In early June, Cisco warned of another unpatched Catalyst SD-WAN Manager zero-day (CVE-2026-20245) that was exploited in attacks, allowing attackers to gain root privileges. The Cybersecurity and Infrastructure Security Agency (CISA) has tagged 91 Cisco vulnerabilities as abused in the wild, five of them in Cisco Catalyst SD-WAN Manager.

**Patch Your Systems Now**: If you are using the Catalyst SD-WAN Manager, it is essential to apply the latest security updates to prevent exploitation of this vulnerability. The patch addresses all deployment types, including on-prem deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).

**What You Can Do**: Administrators should check their systems for the presence of the vulnerability by reviewing the indicators of compromise (IOCs) shared by Cisco. If you are using the Catalyst SD-WAN Manager, it is crucial to apply the latest security updates to prevent exploitation of this vulnerability.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *