Cisco
Catalyst SD-WAN Manager
Cisco Catalyst SD-WAN Manager contains an arbitrary file write vulnerability in its web UI, allowing authenticated remote attackers to escalate privil...
2026-06-16
Description
Cisco Catalyst SD-WAN Manager contains an arbitrary file write vulnerability in its web UI, allowing authenticated remote attackers to escalate privileges to root.
AI Analyst Comment
Remediation
FEDERAL DEADLINE: June 28, 2026 (13 days). Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines. FEDERAL DEADLINE: June 28, 2026 (13 days). Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
CISA KEV Details
Deadline: June 28, 2026
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
---METADATA---
VENDOR: Cisco
PRODUCT: Catalyst SD-WAN Manager
AFFECTED_VERSIONS: Release 20.9.9.1 and earlier, 20.12.7.1 and earlier, 20.15.4.4 and earlier, 20.15.5.2 and earlier, 20.18.3, and 26.1.1.1 and earlier.
---END_METADATA---
Description Summary:
Cisco Catalyst SD-WAN Manager contains an arbitrary file write vulnerability in its web UI, allowing authenticated remote attackers to escalate privileges to root.
Executive Summary:
This critical vulnerability is currently being exploited in the wild and allows an authenticated attacker to achieve full system compromise via arbitrary file writes.
Vulnerability Details
CVE-ID: CVE-2026-20262
Affected Software: Cisco Catalyst SD-WAN Manager
Affected Versions: Cisco Catalyst SD-WAN Manager Release 20.9.9.1 and earlier, 20.12.7.1 and earlier, 20.15.4.4 and earlier, 20.15.5.2 and earlier, 20.18.3, and 26.1.1.1 and earlier.
Vulnerability: This is an arbitrary file write flaw resulting from insufficient input validation during file uploads in the web UI. An authenticated attacker with at least write access can overwrite critical system files to achieve root-level code execution.
Business Impact
With a CVSS score of 9.5, this vulnerability represents a severe risk to organizational infrastructure. Successful exploitation allows an attacker to gain full control over the SD-WAN Manager, potentially impacting network-wide traffic, data confidentiality, and system integrity. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog underscores the immediate necessity for remediation.
Remediation Plan
Immediate Action: Upgrade to the patched versions: Cisco Catalyst SD-WAN Release 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2.
Proactive Monitoring: Review system logs for the presence of unexpected files, particularly those named "suspicious.war," or requests to unauthorized webpages.
Compensating Controls: Restrict access to the web UI to trusted management networks and implement strict role-based access control (RBAC) to minimize the number of users with write permissions.
Exploitation Status
Public Exploit Available: True
Analyst Notes: As of June 14, 2026, confirmed active exploitation has been observed in the wild. Attackers have been seen uploading malicious files to gain unauthorized access.
Analyst Recommendation
Given that this vulnerability is actively exploited and carries a critical CVSS score, immediate patching is required. Organizations must prioritize upgrading all affected instances, including On-Prem, Cloud-Pro, and FedRAMP installations, to the specified fixed versions to neutralize this threat.