**Cisco** has issued security updates to mitigate a severe vulnerability in its **Catalyst SD-WAN Manager**, identified as **CVE-2026-20262**. This zero-day flaw was actively exploited to achieve root privilege escalation on affected systems. ### The Vulnerability Explained **Catalyst SD-WAN Manager**, formerly known as **SD-WAN vManage**, is a crucial network management platform that enables administrators to oversee up to 6,000 **SD-WAN** devices from a unified dashboard. The now-patched vulnerability impacts all deployment types, including on-premise, **Cisco SD-WAN Cloud-Pro**, **Cisco SD-WAN Cloud (Cisco Managed)**, and **Cisco SD-WAN for Government (FedRAMP)**, irrespective of specific device configurations. According to **Cisco**, the root cause lies in insufficient validation of user-supplied input during file uploads. This oversight allowed low-privilege remote attackers to execute arbitrary commands with root privileges by sending specially crafted HTTP requests to a vulnerable API endpoint. In its official advisory, **Cisco** stated, "A vulnerability in the web UI of **Cisco Catalyst SD-WAN Manager**, formerly **SD-WAN vManage**, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system." The company further elaborated that a successful exploit could lead to the creation or overwriting of files on the underlying operating system, which could then be leveraged for root privilege escalation. ### Active Exploitation and Urgent Recommendations **Cisco's Product Security Incident Response Team (PSIRT)** became aware of active exploitation of **CVE-2026-20262** earlier this month. Given the confirmed in-the-wild attacks, **Cisco** is strongly urging customers to apply the available patches without delay. | Cisco Catalyst SD-WAN Release | First Fixed Release | | :---------------------------- | :------------------ | | 20.9.9.1 and earlier | 20.9.9.2 | | 20.12.7.1 and earlier | 20.12.7.2 | | 20.15.4.4 and earlier | 20.15.4.5 | | 20.15.5.2 and earlier | 20.15.5.3 | | 20.18.3 | 20.18.3.1 | | 26.1.1.1 and earlier | 26.1.1.2 | While specific details regarding the attacks remain undisclosed, **Cisco** has provided Indicators of Compromise (IOCs). Administrators are advised to inspect their `SD-WAN vmanage-server`, `vmanage-appserver`, and `serviceproxy-access` logs for any attempts to upload `index.jsp` and `.war` files. ### A Pattern of Exploited SD-WAN Flaws This incident is not isolated. **Cisco's Catalyst SD-WAN Manager** has been a recurring target for attackers. In February, **Cisco** patched **CVE-2026-20133**, an information disclosure flaw in the same product, which was later confirmed to be actively exploited since late April. Just two weeks after that, two more flaws, **CVE-2026-20128** and **CVE-2026-20122**, were also flagged as exploited in the wild. Last month, a maximum-severity authentication-bypass flaw, **CVE-2026-20182**, affecting **Cisco Catalyst SD-WAN Controller**, was also identified as a zero-day actively exploited to gain administrative privileges. More recently, in early June, **Cisco** warned of yet another unpatched **Catalyst SD-WAN Manager** zero-day, **CVE-2026-20245**, which was also exploited to achieve root privileges. The **Cybersecurity and Infrastructure Security Agency (CISA)** has cataloged 91 **Cisco** vulnerabilities as actively exploited, with five specifically targeting **Cisco Catalyst SD-WAN Manager** and six others implicated in ransomware attacks. This highlights the critical importance of keeping **Cisco SD-WAN** deployments fully updated and continuously monitoring for suspicious activity.