Cisco has launched a safety replace that addresses a vulnerability in Catalyst SD-WAN Supervisor, tracked as CVE-2026-20262, that was exploited in an assault that escalated to root privileges.
Beforehand generally known as SD-WAN vManage, this community administration software program permits directors to handle as much as 6,000 SD-WAN units from a single dashboard.
This patched zero-day safety flaw impacts all deployment varieties, no matter system configuration, together with on-premises deployments, Cisco SD-WAN Cloud-Professional, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Authorities (FedRAMP).
Based on Cisco, the problem is because of inadequate validation of user-supplied enter throughout file uploads, which may enable a distant, low-privileged attacker to execute arbitrary instructions as root by sending a crafted HTTP request to an affected API endpoint.
“A vulnerability within the net UI of Cisco Catalyst SD-WAN Supervisor (previously SD-WAN vManage) may enable an authenticated, distant attacker to create or overwrite recordsdata on the file system of an affected system,” Cisco stated in an advisory Monday.
“An attacker may exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint on an affected system. Profitable exploitation may enable the attacker to create or overwrite arbitrary recordsdata on the underlying working system, which may later be used to escalate to root.”
Cisco stated its Product Safety Incident Response Crew (PSIRT) grew to become conscious of the CVE-2026-20262 exploit earlier this month and “strongly” suggested clients to patch their methods.
| Cisco Catalyst SD-WAN Launch | first repair launch |
|---|---|
| 20.9.9.1 and earlier | 20.9.9.2 |
| 20.12.7.1 and earlier | 20.12.7.2 |
| 20.15.4.4 and earlier | 20.15.4.5 |
| 20.15.5.2 and earlier | 20.15.5.3 |
| 20.18.3 | 20.18.3.1 |
| 26.1.1.1 and earlier | 26.1.1.2 |
The corporate didn’t present particulars about these assaults, however shared that indicators of compromise (IOCs) alert directors to verify the SD-WAN vmanage-server, vmanage-appserver, and serviceproxy-access logs for index.jsp and .battle file add makes an attempt.
In February, Cisco patched one other Catalyst SD-WAN Supervisor data disclosure safety flaw (CVE-2026-20133) that was reported to have been actively exploited in late April, and two weeks later warned of two extra flaws that had been actively exploited (CVE-2026-20128 and CVE-2026-20122).
Final month, the corporate additionally tagged a most severity Catalyst SD-WAN controller authentication bypass flaw (CVE-2026-20182) as actively exploited as a zero-day to achieve administrative privileges on unpatched units.
Extra just lately, in early June, Cisco warned of one other unpatched Catalyst SD-WAN Supervisor zero-day (CVE-2026-20245) that could possibly be exploited in an assault that would enable attackers to achieve root privileges.
Over the previous few years, the Cybersecurity and Infrastructure Safety Company (CISA) has tagged 91 Cisco vulnerabilities as being exploited. 5 of them had been towards Cisco Catalyst SD-WAN Supervisor, and the opposite six had been exploited in ransomware assaults.
Safety groups doc 54% of profitable assaults and problem a warning on solely 14%. The remaining strikes invisibly by way of the atmosphere.
Picus’ whitepaper reveals the best way to check your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
