This critical vulnerability is currently being exploited in the wild and allows an authenticated attacker to achieve full system compromise via arbitrary file writes.

This is an arbitrary file write flaw resulting from insufficient input validation during file uploads in the web UI. An authenticated attacker with at least write access can overwrite critical system files to achieve root-level code execution.

With a CVSS score of 9.5, this vulnerability represents a severe risk to organizational infrastructure. Successful exploitation allows an attacker to gain full control over the SD-WAN Manager, potentially impacting network-wide traffic, data confidentiality, and system integrity. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog underscores the immediate necessity for remediation.

Immediate Action: Upgrade to the patched versions: Cisco Catalyst SD-WAN Release 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2.

Proactive Monitoring: Review system logs for the presence of unexpected files, particularly those named "suspicious.war," or requests to unauthorized webpages.

Compensating Controls: Restrict access to the web UI to trusted management networks and implement strict role-based access control (RBAC) to minimize the number of users with write permissions.

Public Exploit Available: True

Given that this vulnerability is actively exploited and carries a critical CVSS score, immediate patching is required. Organizations must prioritize upgrading all affected instances, including On-Prem, Cloud-Pro, and FedRAMP installations, to the specified fixed versions to neutralize this threat.