Cisco Catalyst SD-WAN Manager Arbitrary File Write (CVE-2026-20262)

Severity Assessment

• Exploitability: 6/10 - Exploitation is remote and low-complexity, but Cisco and NVD state that the attacker must already have valid lower-privileged credentials with write access.
• Impact: 7/10 - Successful exploitation can create or overwrite files on the underlying operating system, and Cisco states the written file could later be used to elevate to root.
• Weaponization Risk: 7/10 - Cisco PSIRT reports limited exploitation in June 2026, and CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on 2026-06-15.
• Patch Urgency: 8/10 - CISA set a 2026-06-29 required action deadline for applicable federal systems, and Cisco states there are no workarounds.
• Detection Coverage: 7/10 - Cisco provides log examples for suspicious WAR file upload and follow-on deployment activity, while cautioning that some indicators need to be checked against normal operations.

Summary

CVE-2026-20262 is an authenticated path traversal and arbitrary file write vulnerability in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. Cisco attributes the flaw to insufficient validation of user-supplied input during a file upload process in the web UI. NVD records the vulnerability as CVSS 3.1 6.5 medium with network attack vector, low attack complexity, low privileges required, no user interaction, and high integrity impact.

The supported exploitation path is bounded by the credential requirement. Cisco states that exploitation requires valid credentials with at least write access, while NVD describes the prerequisite as at least a lower-privileged, single-task user account. An attacker who meets that prerequisite can send a crafted HTTP request to an affected API endpoint and create or overwrite files on the underlying operating system.

CISA added CVE-2026-20262 to the Known Exploited Vulnerabilities catalog on 2026-06-15 based on evidence of active exploitation. CISA lists known ransomware campaign use as unknown and requires applicable federal civilian executive branch systems to apply vendor-aligned mitigations by 2026-06-29.

Exploit Chain

Stage 1: Gain valid SD-WAN Manager credentials

Public sources reviewed for this entry do not identify an actor, credential source, or initial access vector. The known prerequisite is authenticated access: Cisco says the attacker needs valid credentials with at least write access, and NVD describes a lower-privileged single-task user account as sufficient.

Stage 2: Send a crafted HTTP request to the affected API endpoint

Cisco and NVD describe the vulnerable path as a file upload process in the Cisco Catalyst SD-WAN Manager web UI. The affected software does not properly validate user-supplied input, allowing a crafted request to traverse paths during file upload handling.

Stage 3: Create or overwrite operating system files

Successful exploitation allows the attacker to create a file or overwrite any file on the filesystem of the affected system. Cisco notes that a written file could later be used to elevate to root, but the reviewed public sources do not identify a specific public exploit module, threat actor, or complete post-exploitation chain.

Detection Guidance

1. Identify Cisco Catalyst SD-WAN Manager deployments, including on-premises, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud managed, and FedRAMP deployments, then compare installed releases with Cisco’s fixed software guidance.
2. Prioritize systems with management ports exposed to the internet, because Cisco states exposed systems are at risk of compromise.
3. Review vmanage-server.log under /var/log/nms for suspicious remote access AnyConnect profile uploads that contain traversal sequences or unexpected WAR file destinations.
4. Review vmanage-appserver.log for unexpected deployment of WAR files and serviceproxy-access.log for follow-on requests that reach newly deployed artifacts.
5. Validate log findings against expected administrative activity, because Cisco cautions that some indicators may overlap with standard operations.
6. If suspicious activity is found, preserve relevant SD-WAN Manager logs and follow Cisco and CISA remediation guidance before treating patching alone as sufficient.

Indicators of Compromise

Cisco’s advisory provides log-oriented leads rather than static malware indicators. Defenders should investigate:

• vmanage-server.log entries showing Remote Access AnyConnect profile uploads with traversal patterns or unexpected deployment paths.
• Deployment log entries in vmanage-appserver.log for WAR files that do not match authorized administrative changes.
• serviceproxy-access.log requests to newly deployed or suspicious WAR artifacts.
• File creations or overwrites on Cisco Catalyst SD-WAN Manager systems near the June 2026 exploitation window.
• Administrative activity from valid but unexpected lower-privileged accounts with write access.

Disclosure Timeline

• 2026-06-15: Cisco advisory published Cisco published advisory cisco-sa-sdwan-arbfw-c2rZvQ for CVE-2026-20262 with CVSS 3.1 score 6.5 medium.
• 2026-06-15: NVD entry published NVD published and analyzed CVE-2026-20262, recording the Cisco PSIRT description, CVSS vector, affected CPE ranges, and CISA KEV fields.
• 2026-06-15: CISA KEV addition CISA added CVE-2026-20262 to the Known Exploited Vulnerabilities catalog.
• 2026-06-15: Cisco advisory updated Cisco updated the advisory to version 1.1, specifying the write-access privilege requirement and adding context to indicators of compromise.
• 2026-06-29: CISA remediation deadline CISA lists 2026-06-29 as the required action deadline for applicable federal civilian executive branch systems.

Sources & References

• Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-06-15
• National Vulnerability Database: CVE-2026-20262 — National Vulnerability Database, 2026-06-15
• Cisco PSIRT: Cisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerability — Cisco PSIRT, 2026-06-15