Networking giant **Cisco** has issued urgent security updates to address a medium-severity vulnerability, tracked as **CVE-2026-20262**, within its **Catalyst SD-WAN Manager** (formerly **SD-WAN vManage**). The flaw, which carries a CVSS score of 6.5 out of 10.0, is confirmed to be under active exploitation. ### The Vulnerability Explained According to **Cisco**'s advisory, **CVE-2026-20262** resides in the web UI of **Cisco Catalyst SD-WAN Manager**. It enables an authenticated, remote attacker to create or overwrite any file on the filesystem of an affected system. The root cause lies in insufficient validation of user-supplied input during a file upload process. By sending specially crafted HTTP requests to an affected API endpoint, an attacker with valid credentials and at least write access could exploit this behavior. Successful exploitation could potentially lead to a privilege escalation to root. ### Affected Products and Patches The vulnerability impacts several **Cisco Catalyst SD-WAN Manager** products, irrespective of their deployment type: * **Cisco Catalyst SD-WAN Manager On-Prem** * **Cisco SD-WAN Cloud-Pro** * **Cisco SD-WAN Cloud** (**Cisco** Managed) * **Cisco SD-WAN for Government** (FedRAMP) **Cisco** has released patches to mitigate the issue. Users are strongly advised to update to the following versions: * **Cisco Catalyst SD-WAN Release 20.9.9.1** and earlier: Fixed in **20.9.9.2** * **Cisco Catalyst SD-WAN Release 20.12.7.1** and earlier: Fixed in **20.12.7.2** * **Cisco Catalyst SD-WAN Release 20.15.4.4** and earlier: Fixed in **20.15.4.5** * **Cisco Catalyst SD-WAN Release 20.15.5.2** and earlier: Fixed in **20.15.5.3** * **Cisco Catalyst SD-WAN Release 20.18.3**: Fixed in **20.18.3.1** * **Cisco Catalyst SD-WAN Release 26.1.1.1** and earlier: Fixed in **26.1.1.2** ### Indicators of Compromise (IoCs) **Cisco** became aware of limited exploitation in June 2026, discovered during internal security testing. The company has shared **IoCs** to help customers detect potential compromises. Organizations should audit `/var/log/nms/vmanage-server.log` for suspicious WAR file uploads, such as: Further indicators include attempts to deploy and interact with malicious code, which may appear in other logs. These follow-on activities include: * `/var/log/nms/vmanage-appserver.log`: * `/var/log/nms/containers/service-proxy/serviceproxy-access.log`: ### A Growing Trend of Exploited SD-WAN Flaws **CVE-2026-20262** marks the eighth security flaw impacting **Cisco SD-WAN** products to be actively exploited this year alone. Previous vulnerabilities include **CVE-2026-20245**, **CVE-2026-20182**, **CVE-2026-20127**, **CVE-2026-20122**, **CVE-2026-20128**, **CVE-2026-20133**, and **CVE-2022-20775**. The exploitation of some of these flaws has been attributed to an advanced persistent threat (**APT**) actor known as **UAT-8616**. ### CISA Mandates Patching In response to the active exploitation, **CISA** has added **CVE-2026-20262** to its **Known Exploited Vulnerabilities** (**KEV**) catalog. This mandates that Federal Civilian Executive Branch (**FCEB**) agencies apply the necessary fixes by June 29, 2026. Given the active exploitation and the critical nature of network infrastructure, all organizations using affected **Cisco Catalyst SD-WAN Manager** versions should prioritize patching immediately.