Platform
Arbis AI
Solutions
About
Book a Demo
Dropdown

Cisco SD-WAN Under Fire: Exploited Path Traversal Bug Enables Root-Level Access

Red | Vulnerability
Download Now
CVE-2026-20262: Cisco SD-WAN Path Traversal | Threat Advisory TA2026168
HiveForce Labs  ·  Threat Advisory  ·  Vulnerability Report  

Cisco SD-WAN Under Fire: Exploited Path Traversal Bug Enables Root-Level Access

CVE-2026-20262 is a critical path traversal (CWE-22) vulnerability in Cisco Catalyst SD-WAN Manager allowing remote attackers to write arbitrary files anywhere on the underlying operating system via a crafted file upload request. Cisco confirms active exploitation in limited attacks observed June 11, 2026. The arbitrary file write can be chained to escalate privileges to root, enabling complete appliance takeover. A zero-day and CISA KEV listed. No workarounds exist — patching is the only remediation.

⚠ THREAT LEVEL: RED  ·  CVE-2026-20262  ·  ZERO-DAY: YES  ·  CISA KEV: YES  ·  ACTIVELY EXPLOITED: June 11, 2026  ·  NO WORKAROUNDS  ·  PRODUCT: Cisco Catalyst SD-WAN Manager (all deployment models)  ·  PATCH: 20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2
⚠ Threat Level: RedCVE-2026-20262Zero-Day · CISA KEVPath Traversal · CWE-22Arbitrary File Write → RootActively ExploitedNo WorkaroundsPatch AvailablePublished: June 16, 2026
CVE ID
CVE-2026-20262
TA Number
TA2026168
Threat Level
Red
Zero-Day
Yes
CISA KEV
Yes
CWE
CWE-22 Path Traversal
First Exploited
June 11, 2026
Workarounds
None — patch only
Admiralty Code
A1
01 — Overview

Summary

CVE-2026-20262 is a critical path traversal vulnerability in the web-based management interface of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage), classified under CWE-22. The flaw stems from improper validation of user-supplied input during file upload, allowing an attacker with a valid low-privilege account to manipulate file paths and bypass directory restrictions, enabling unauthorized file write operations anywhere on the underlying operating system.

The arbitrary file write capability serves as a stepping stone for privilege escalation to root, enabling complete administrative control over the appliance. Cisco has confirmed active exploitation in limited attacks first observed June 11, 2026, though no specific threat actor or malware campaign has been publicly attributed. The vulnerability affects all deployment models — on-premises, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP) — across multiple release trains through the 26.1.x series.

Cisco has confirmed there are no workarounds. Patching is the only effective remediation. Fixed releases are available now.

02 — CVE Reference

CVE Details

CVE ID Vulnerability Name Affected Products Affected CPE CWE Zero-Day CISA KEV Patch
CVE-2026-20262 Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability Cisco Catalyst SD-WAN Manager: 20.9.9.1 and earlier · 20.12.7.1 and earlier · 20.15.4.4 and earlier · 20.15.5.2 and earlier · 20.18.3 · 26.1.1.1 and earlier cpe:2.3:a:cisco:catalyst_sdwan_manager:*:*:*:*:*:*:*:* CWE-22 ✓ Yes ✓ Yes ✓ Yes
03 — Technical Analysis

Vulnerability Details

#1
Root Cause — CWE-22 Path Traversal in File Upload API Endpoint
CVE-2026-20262 is a critical CWE-22 arbitrary file write vulnerability in Cisco Catalyst SD-WAN Manager's web-based management interface. The flaw stems from insufficient input validation during file upload — an attacker can manipulate file paths in a crafted HTTP request to bypass directory restrictions and write files outside the designated upload directory, reaching any location on the underlying operating system.
#2
Exploitation — Crafted HTTP Upload Request, Low-Privilege Account Required
By sending a specially crafted HTTP request to an affected API endpoint, a remote attacker with a valid low-privilege or single-task SD-WAN Manager account can exploit the path traversal weakness to create new files or overwrite existing ones anywhere on the OS. Exploitation requires access to a reachable management API endpoint and a low-privilege account — it does not require administrative credentials.
#3
Impact — Privilege Escalation to Root, Complete Appliance Takeover
Cisco confirms the arbitrary file write capability serves as a stepping stone for full system compromise. A maliciously written file can be leveraged to escalate privileges to root, granting an attacker complete administrative control over the appliance. This transforms a file-write vulnerability into a pathway for complete device takeover — applicable across all deployment models including on-premises, Cloud-Pro, Cisco Managed, and FedRAMP environments.
#4
Exploitation Confirmed — Active Attacks June 2026, No Actor Attribution
Cisco confirmed active exploitation in limited attacks with telemetry dated June 11, 2026. All deployment models and multiple software release trains through the 26.1.x series are affected. No specific threat actor or malware campaign has been publicly attributed. Cisco has stated there are no workarounds — patching to a fixed release is the only effective remediation. Fixed log indicators of compromise are published in Cisco's security advisory.
04 — Fixed Versions

Patch Details

Upgrade Cisco Catalyst SD-WAN Manager to the first fixed release for your software train immediately. There are no workarounds.

Vulnerable Release Train First Fixed Release
20.9.9.1 and earlier 20.9.9.2
20.12.7.1 and earlier 20.12.7.2
20.15.4.4 and earlier 20.15.4.5
20.15.5.2 and earlier 20.15.5.3
20.18.3 20.18.3.1
26.1.1.1 and earlier 26.1.1.2
05 — Mitigations

Recommendations

01
Apply Cisco Fixed Software Immediately — No Workarounds Exist
Upgrade to the first fixed release for your train without delay: 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2. Cisco has confirmed exploitation in the wild, added this to mandatory remediation tracking, and stated there are no workarounds. Patching is the only effective remediation.
02
Restrict Management-Plane Exposure — Remove Internet Reachability
Ensure SD-WAN Manager is not reachable from the public internet. Exploitation requires a valid low-privilege account and a reachable API endpoint. Limiting network exposure to trusted management networks and enforcing strict access controls materially reduces the attack surface while patching is completed.
03
Review and Harden Account Access — Audit Low-Privilege Accounts
Audit all SD-WAN Manager user accounts, including lower-privileged and single-task accounts — the exact account types exploitable by this vulnerability. Remove unused or unrecognized accounts, rotate credentials where compromise is suspected, and enforce strong authentication and least-privilege practices for all management-plane access.
04
Hunt for Indicators of Compromise — Review SD-WAN Manager Logs
Audit vmanage-server.log and vmanage-appserver.log (under /var/log/nms) for unexpected file uploads or WAR deployments into the WildFly standalone deployments directory. Review serviceproxy-access.log (under /var/log/nms/containers/service-proxy/) for HTTP POST requests to unrecognized JSP endpoints. If suspicious entries are found, open a TAC case and provide a request admin-tech output for Cisco review.
06 — MITRE ATT&CK Framework

MITRE ATT&CK TTPs

Tactic Technique Sub-technique & Notes
Initial Access T1190 Exploit Public-Facing Application — crafted HTTP file upload request exploits path traversal in SD-WAN Manager API endpoint to write arbitrary files
Initial Access T1078 Valid Accounts — exploitation requires a valid low-privilege or single-task SD-WAN Manager account; these account types are the direct exploitation vector
Persistence T1505 Server Software Component — maliciously written files deployed to WildFly standalone deployments directory (WAR files, JSP endpoints) to establish persistent server-side access
Resource Dev T1588 T1588.006 Vulnerabilities — CVE-2026-20262 zero-day exploited in limited attacks observed June 11, 2026; no public PoC attribution noted in advisory
07 — Patch Resource & Sources

Patch Link & References

Report Generated: June 16, 2026  ·  08:45 AM
TA Number: TA2026168  ·  Admiralty Code: A1  ·  Threat Level: Red
© 2026 All Rights Reserved by Hive Pro  ·  www.hivepro.com
HiveForce Labs
Threat Advisory · Vulnerability Report
CVE-2026-20262 · Cisco SD-WAN Manager
hive pro logo
Agentic AI for Exposure Management. Security operations that think, prioritize, and act autonomously.
twitterLinkdeinYoutubeEmail
Resources
Threat Advisories
Threat Digests
Solutions
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
© 2026
Hive Pro.
All rights reserved.
Privacy Policy