Cisco has patched CVE-2026-20262, an arbitrary file-write vulnerability in Cisco Catalyst SD-WAN Manager that the company says has already seen limited exploitation. The bug is not an unauthenticated internet-wide free-for-all: an attacker needs valid credentials with at least write access. That qualifier still matters less than it sounds, because a low-privilege remote account can create or overwrite files on the appliance and Cisco warns that the written file could later be used to gain root-level control.[1]
CISA added the flaw to its Known Exploited Vulnerabilities catalog on June 15, 2026, giving US federal agencies until June 29, 2026 to apply vendor guidance or stop using affected exposure. The catalog entry describes the issue as directory or path traversal in Catalyst SD-WAN Manager and maps it to CWE-22.[2]
The practical priority is straightforward: upgrade Catalyst SD-WAN Manager to a fixed release and then review vManage logs for signs that an attacker abused the upload path before the patch landed. Cisco lists no workaround for this vulnerability, so compensating controls should not be treated as a substitute for the fixed software.[1]
What admins should check now
Cisco lists fixed trains including 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2, depending on the currently installed release train. Environments on earlier listed builds should move to the corresponding fixed release or a later supported train after normal compatibility checks.[1]
The indicator set is useful because Cisco published concrete log patterns instead of only a generic advisory. In /var/log/nms/vmanage-server.log, look for Remote Access AnyConnect profile upload events where a filename uses traversal sequences and writes a suspicious .war file into the WildFly deployment path. Cisco’s example uses ../../../../var/lib/wildfly/standalone/deployments/suspicious.war.[1]
Follow-on traces may appear in /var/log/nms/vmanage-appserver.log as deployment of that WAR file, and in /var/log/nms/containers/service-proxy/serviceproxy-access.log as HTTP requests to a path such as /suspicious/index.jsp. Cisco notes those follow-on lines are not always observed, so their absence should not be used to clear a system if the upload log is suspicious.[1]
This is the third recent Cisco SD-WAN story that deserves operational attention. Earlier HowToFix coverage tracked an exploited Cisco SD-WAN root flaw and a separate Cisco SD-WAN authentication-bypass issue. The pattern is similar to other edge-management incidents: once a management plane is reachable and trusted credentials are available, a “low privilege” condition can become a serious post-compromise path. The same lesson applies to exploited VPN and gateway bugs such as the recent Check Point VPN IKEv1 bypass.
For defenders, the clean response is to patch first, then hunt. Confirm the exact Catalyst SD-WAN Manager version, identify accounts with write access, preserve the vManage logs before rotation, search for unexpected WAR/JSP deployment artifacts, and review recent administrator or API activity around Remote Access profile uploads. If an unexplained WAR deployment is present, treat the manager as potentially compromised rather than merely vulnerable.
References
- Cisco Security Advisory, Cisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerability, published June 15, 2026.
- CISA Known Exploited Vulnerabilities catalog JSON, CVE-2026-20262 entry, catalog version 2026.06.15.
- CISA, Known Exploited Vulnerabilities Catalog.
- NVD, CVE-2026-20262 record.
Leave a Comment