ON 15 June 2026 the Cybersecurity and Infrastructure Security Agency added CVE‑2026‑20262 to its Known Exploited Vulnerabilities catalogue after confirming that the flaw in Cisco’s Catalyst SD‑WAN Manager is being actively abused according to the CISA KEV entry. The vulnerability is a directory traversal issue in the web‑based management interface that lets an authenticated remote attacker create or overwrite arbitrary files on the underlying filesystem. Successful exploitation requires valid credentials but can be carried out from anywhere the management interface is reachable. Cisco has urged customers to apply the available patch and to limit exposure of the affected service.
CVE‑2026‑20262 carries a CVSS v3.1 score of 6.5 and is described by Cisco as a path traversal flaw caused by insufficient validation of user‑supplied filenames during file upload operations as detailed in the Cisco security advisory. An attacker who can log in to the SD‑WAN Manager portal can craft a request that includes directory traversal sequences such as ../ to write files outside the intended upload directory. The write operation runs with the privileges of the application process, which in many deployments operates with elevated rights that could lead to further system compromise. No authentication bypass is needed; the attacker must already possess a legitimate account.
All deployment models of Catalyst SD‑WAN Manager are affected, including on‑premise appliances, cloud‑hosted instances and government‑specified editions. Versions prior to the fix released by Cisco lack the necessary input sanitisation, making them susceptible to the described abuse. Security researchers have observed indicators such as unexpected file creation in system directories and anomalous log entries tied to upload requests. The activity appears opportunistic rather than tied to a specific threat actor group.
The addition to the KEV catalogue highlights that the exploit is already in the wild and that defenders should treat it as an active threat. While no particular group has been linked to the attacks, the pattern matches common post‑credential abuse tactics seen in other recent intrusions. Organizations that rely on SD‑WAN for branch connectivity should review who has access to the management interface and ensure those accounts are protected with strong authentication. Network segmentation that isolates the management plane from untrusted networks can reduce the chance of successful exploitation.
Defenders should start by applying the security update that Cisco released for CVE‑2026‑20262, which adds proper validation to the file upload handler and removes the directory traversal possibility as advised by security researchers. After patching, administrators ought to restrict internet‑facing access to the SD‑WAN Manager interface, allowing connections only from trusted management subnets. Enforcing multi‑factor authentication on all privileged accounts adds another barrier that limits the value of stolen credentials. Finally, reviewing audit logs for unusual file creation events or unexpected changes to system binaries can help detect any attempted abuse before it leads to impact.
Additional hardening steps include disabling any unused services on the manager host, applying the principle of least privilege to the application account and regularly reviewing user permissions. File integrity monitoring can alert administrators to unauthorized modifications that might indicate a successful exploit. Staying informed through Cisco’s security advisories and the CISA KEV feed ensures that administrators receive timely guidance on emerging threats related to their SD‑WAN deployment.