Vulnerability in Cisco Catalyst SD-WAN Manager

Background

Cisco has released security updates to address an arbitrary file write vulnerability (CVE-2026-20262) affecting Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). This vulnerability has a Common Vulnerability Scoring System (CVSS v3.1) score of 6.5 out of 10.

Impact

Due to improper validation of user-supplied input during a file upload process, an authenticated attacker with at least write access could send a crafted HTTP request to an affected API endpoint to create or overwrite any file on the underlying operating system, which could subsequently be used to escalate privileges to root on the affected system.

Known Exploitation

This vulnerability is being actively exploited in the wild.

Affected Products

This vulnerability affects Cisco Catalyst SD-WAN Manager, regardless of device configuration, across all deployment types including On-Premises Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).

This vulnerability affects the following Cisco Catalyst SD-WAN versions:

• Release 20.9.9.1 and earlier

• Release 20.12.7.1 and earlier

• Release 20.15.4.4 and earlier

• Release 20.15.5.2 and earlier

• Release 20.18.3

• Release 26.1.1.1 and earlier

Recommendations

Users and administrators of affected products are advised to update to the latest versions immediately.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ

https://nvd.nist.gov/vuln/detail/CVE-2026-20262

https://www.bleepingcomputer.com/news/security/cisco-fixes-sd-wan-vmanage-flaw-exploited-in-zero-day-attacks/