Cisco Catalyst SD-WAN Manager actively exploited file upload overwrite flaw (CVE-2026-20262)
Vulnerability
Summary
Hide ▲
Show ▼
Cisco Catalyst SD-WAN Manager was patched for CVE-2026-20262 after attackers used it to create or overwrite files and escalate to root across all deployment types. The flaw affected on-prem, Cloud-Pro, Cloud (Managed), and Government deployments. Cisco tied the issue to the web UI and an affected API endpoint that accepted crafted HTTP requests. Cisco also shared IOCs for index.jsp and .war upload attempts so administrators can hunt for compromise.
Related Happenings
Cisco Catalyst SD-WAN Manager root privilege escalation flaw (CVE-2026-20245)
Vulnerability
H score60
First: 05.06.2026 09:24
Last: 05.06.2026 09:24
Sources 1
About this happening:
**CVE-2026-20245** in **Cisco Catalyst SD-WAN Manager** is an **actively exploited** **high-severity** vulnerability that can let an **authenticated local attacker** with **netadm...
Cisco Catalyst SD-WAN Manager root privilege escalation flaw (CVE-2026-20245)
VulnerabilityAbout this happening: **CVE-2026-20245** in **Cisco Catalyst SD-WAN Manager** is an **actively exploited** **high-severity** vulnerability that can let an **authenticated local attacker** with **netadm...
Latest development: 06.06.2026 07:19
Cisco warned that CVE-2026-20245 in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, is under active exploitation and can let an authenticated local attacker with netadmin privileges upload a crafted file to execute arbitrary commands as root. Cisco said the flaw affects On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP), that limited exploitation has already resulted in configuration changes pushed to edge devices, and that no patches or mitigations are currently available. Cisco also advised checking /var/log/scripts.log for indicators of compromise and credited Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan with discovering and reporting the issue.
Cisco Secure Workload REST API validation/authentication flaw (CVE-2026-20223)
Vulnerability
H score49
First: 21.05.2026 15:04
Last: 21.05.2026 15:04
Sources 1
About this happening:
**Cisco Secure Workload Cluster Software** was patched for **CVE-2026-20223**, a **critical** REST API flaw that could let attackers gain **Site Admin privileges** and cross tenan...
Cisco Secure Workload REST API validation/authentication flaw (CVE-2026-20223)
VulnerabilityAbout this happening: **Cisco Secure Workload Cluster Software** was patched for **CVE-2026-20223**, a **critical** REST API flaw that could let attackers gain **Site Admin privileges** and cross tenan...
Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)
Vulnerability
H score60
First: 14.05.2026 23:09
Last: 14.05.2026 23:09
Sources 1
About this happening:
**CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...
Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)
VulnerabilityAbout this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...
Latest development: 14.05.2026 23:25
Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.
Cisco Catalyst SD-WAN Manager information disclosure vulnerability (CVE-2026-20133)
Vulnerability
H score27
First: 21.04.2026 15:30
Last: 21.04.2026 15:30
Sources 1
About this happening:
CISA moved **CVE-2026-20133** in **Cisco Catalyst SD-WAN Manager** into its **KEV Catalog**, signaling **active exploitation** against **unpatched devices** and forcing **FCEB age...
Cisco Catalyst SD-WAN Manager information disclosure vulnerability (CVE-2026-20133)
VulnerabilityAbout this happening: CISA moved **CVE-2026-20133** in **Cisco Catalyst SD-WAN Manager** into its **KEV Catalog**, signaling **active exploitation** against **unpatched devices** and forcing **FCEB age...
Cisco Catalyst SD-WAN active exploitation wave
Exploitation Wave
H score64
First: 05.03.2026 14:15
Last: 05.03.2026 14:15
Sources 1
About this happening:
**Cisco** confirmed **active exploitation** of **two recently patched Catalyst SD-WAN vulnerabilities**, creating immediate risk for exposed systems that have not been fully remed...
Cisco Catalyst SD-WAN active exploitation wave
Exploitation WaveAbout this happening: **Cisco** confirmed **active exploitation** of **two recently patched Catalyst SD-WAN vulnerabilities**, creating immediate risk for exposed systems that have not been fully remed...
Timeline
-
15.06.2026 20:12 2 articles · 1h ago
Cisco releases fixes for exploited Catalyst SD-WAN Manager file upload flaw
Initial DisclosureCisco released security updates for CVE-2026-20262 in Catalyst SD-WAN Manager, formerly SD-WAN vManage, after PSIRT became aware of exploitation earlier this month. The flaw affects all deployment types, including on-prem deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP), and an authenticated remote attacker could use crafted HTTP requests to an affected API endpoint to create or overwrite files and later elevate to root. Cisco also advised administrators to patch to the fixed releases and inspect vmanage-server, vmanage-appserver, and serviceproxy-access logs for index.jsp and .war upload attempts.
Show sources
- Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks — www.bleepingcomputer.com — 15.06.2026 20:12
- Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks — www.bleepingcomputer.com — 15.06.2026 20:12