Cisco Patches SD-WAN Zero-Day Already Exploited in Attacks

Key Takeaways

• CVE-2026-20262 allows authenticated attackers to escalate to root via crafted HTTP requests
• All Catalyst SD-WAN Manager deployments are affected, including cloud, on-prem, and FedRAMP
• This is the sixth SD-WAN vulnerability CISA has tagged as exploited in the wild

Cisco released security updates on Monday to fix a vulnerability in Catalyst SD-WAN Manager that attackers were already exploiting to gain root privileges on enterprise networks. The flaw, tracked as CVE-2026-20262, affects all deployment types and stems from weak input validation during file uploads.

Catalyst SD-WAN Manager, formerly known as SD-WAN vManage, is centralized network management software that lets administrators control up to 6,000 SD-WAN devices from a single dashboard. Because it sits at the core of enterprise network infrastructure, vulnerabilities in this platform are high-value targets for attackers seeking persistent access.

How the Attack Works

The vulnerability exists in the web UI's file upload functionality. Cisco's advisory explains that the software does not properly validate user-supplied input, which lets authenticated attackers with low privileges send crafted HTTP requests to an API endpoint. A successful exploit allows them to create or overwrite any file on the underlying operating system.

“An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root.”

— Cisco security advisory

The CVSS severity score for CVE-2026-20262 is 6.5 (Medium). While that number might suggest moderate risk, the real danger lies in chaining. Attackers can use the arbitrary file write capability to plant files that enable privilege escalation to root, giving them complete control over the management platform.

All Deployment Types Affected

Cisco confirmed the flaw affects every deployment configuration:

• On-premises deployments
• Cisco SD-WAN Cloud-Pro
• Cisco SD-WAN Cloud (Cisco Managed)
• Cisco SD-WAN for Government (FedRAMP)

Device configuration does not matter. If you run Catalyst SD-WAN Manager, you need to patch.

Fixed Versions

Cisco published patches across all supported release branches. Here are the vulnerable and fixed version numbers:

Indicators of Compromise

Cisco did not share details about the attacks themselves, but it did provide indicators of compromise. The company advises administrators to check three log files for suspicious activity:

• vmanage-server logs
• vmanage-appserver logs
• serviceproxy-access logs

Look for attempts to upload index.jsp and .war files. These file types suggest attackers are trying to deploy web shell backdoors or malicious Java applications.

Part of a Larger Pattern

This is not an isolated incident. Cisco has dealt with a string of SD-WAN security issues throughout 2026:

The Cybersecurity and Infrastructure Security Agency (CISA) has tagged 91 Cisco vulnerabilities as exploited in the wild over the past several years. Six of those affect Cisco Catalyst SD-WAN components.

Why SD-WAN Is a Prime Target

SD-WAN management platforms are attractive targets because they control the network fabric itself. Compromising a single vManage instance can give attackers visibility and control over thousands of branch locations. Root access on the management server means persistent backdoors, traffic interception capabilities, and the ability to push malicious configurations to edge devices.

Discussions on Hacker News and Reddit's r/sysadmin have focused on what some are calling "SD-WAN zero-day chains." Users expressed frustration at the frequency of these attacks and the operational difficulty of patching mission-critical infrastructure quickly.

What to Do Now

1. Identify your current Catalyst SD-WAN Manager version using the admin console
2. Apply the appropriate patch from Cisco's security advisory
3. Check vmanage-server, vmanage-appserver, and serviceproxy-access logs for .jsp and .war file upload attempts
4. If you find IOCs, assume compromise and begin incident response procedures
5. Review network segmentation around your SD-WAN management infrastructure

Frequently Asked Questions

What is CVE-2026-20262?

It's a vulnerability in Cisco Catalyst SD-WAN Manager that allows authenticated attackers to write arbitrary files to the system, which can be used to escalate privileges to root.

Is this vulnerability being actively exploited?

Yes. Cisco's Product Security Incident Response Team confirmed active exploitation before the patch was released, making this a zero-day attack.

Which SD-WAN deployments are affected?

All of them. On-premises, Cisco SD-WAN Cloud-Pro, Cisco-managed cloud, and FedRAMP deployments are all vulnerable regardless of device configuration.

How do I check if my system was compromised?

Review vmanage-server, vmanage-appserver, and serviceproxy-access logs for attempts to upload index.jsp or .war files.

What is the severity of this vulnerability?

The CVSS score is 6.5 (Medium), but the real-world risk is higher because the file write capability enables privilege escalation to root.

Source: BleepingComputer