CISCO SD‑WAN Manager and LiteSpeed cPanel zero‑day flaws are under active attack, prompting CISA to insert both vulnerabilities into its Known Exploited Vulnerabilities catalogue. The flaws affect organisations that depend on the SD‑WAN management platform for branch connectivity and on shared hosting providers that use the LiteSpeed cPanel plugin. Prompt remediation is required to prevent further compromise.
The Cisco vulnerability, identified as CVE-2026-20262, carries a CVSS score of 6.5 and stems from an insufficient validation of user‑supplied input in HTTP requests to the SD‑WAN Manager web interface. An attacker can craft a request that creates or overwrites arbitrary files on the underlying operating system. If the attacker possesses valid administrative credentials, the written file can be leveraged to gain root privileges on the device Cisco advisory and NVD entry.
Exploitation of CVE-2026-20262 has been seen in the wild since early June 2026, with attackers using the file‑write capability to drop malicious scripts or modify configuration files. This step often precedes attempts to execute code with elevated rights, especially when default or reused credentials are present. Although no specific threat actor has been named, the activity matches the pattern of targeted intrusions against network infrastructure.
The LiteSpeed flaw, recorded as CVE-2026-54420, scores 8.5 on the CVSS scale and originates from a UNIX symbolic link weakness in the cPanel plugin. A low‑privileged user can create a symlink that points to a privileged file, causing the plugin to follow the link during routine operations and thereby modify or read files outside the intended directory. Successful abuse enables the user to escalate to root on the underlying server, putting all accounts on a shared host at risk LiteSpeed security update and CISA KEV for CVE‑2026‑54420.
Because the plugin runs with the privileges of the cPanel service, an attacker who gains control of a single hosting account can leverage the symlink to alter system files, install backdoors or harvest credentials from other users on the same server. The vulnerability has been exploited in the wild since mid‑June, and LiteSpeed advises immediate upgrade to version 2.4.8 or later to remove the risky symlink handling.
CISA added CVE‑2026‑20262 to the KEV catalogue on 15 June and CVE‑2026‑54420 shortly after, urging federal agencies to apply mitigations by 29 June. The SD‑WAN flaw marks the eighth Cisco zero‑day affecting the SD‑WAN product line observed this year, highlighting a persistent focus