CVE-2026-20262: Cisco Catalyst SD-WAN Manager Arbitrary File Write via Path Traversal

TL;DR

• CVE-2026-20262 is a path traversal (CWE-22) flaw in Cisco Catalyst SD-WAN Manager that allows an authenticated remote attacker to create or overwrite any file on the underlying OS.
• CVSS 6.5 (Medium), but the real-world risk is higher because a successful file-write can be chained into root-level privilege escalation.
• Any user with at least a low-privileged, single-task account can exploit it - no admin rights required.
• CISA has listed it in the Known Exploited Vulnerabilities (KEV) catalog with a federal remediation deadline of 2026-06-29, confirming active exploitation.
• Apply the Cisco Security Advisory immediately; check the advisory for supported fixed releases rather than relying on any specific version number.

---

What is CVE-2026-20262?

CVE-2026-20262 is a path traversal vulnerability in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). Improper validation of user-supplied input during a file upload operation lets an authenticated remote attacker send a crafted HTTP request to an affected API endpoint and write or overwrite arbitrary files anywhere on the host operating system. That write access can later be used to escalate privileges to root.

---

Who is affected?

All deployments of the following product that have not yet applied Cisco's fix are in scope:

• Cisco Catalyst SD-WAN Manager (formerly Cisco SD-WAN vManage) - all versions confirmed vulnerable per the Cisco advisory until the vendor-supplied fix is applied.

Organizations running SD-WAN Manager as an on-premises controller or as a hosted management plane for branch SD-WAN fabrics should both treat this as in scope. Any instance reachable over the network by a user holding even a minimal account is exposed.

---

How severe is it?

The CVSS 3.1 base score is 6.5 (Medium), with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N.

Breaking down what that vector means in practice:

• AV:N - exploitable over the network, no physical or adjacent-network access needed.
• AC:L - low attack complexity; no race conditions or special configuration required.
• PR:L - only a low-privileged account is needed, a significant risk multiplier in environments with many SD-WAN operator accounts.
• UI:N - no victim interaction is required.
• I:H - high integrity impact; the attacker can overwrite critical OS files.
• C:N / A:N - no direct confidentiality or availability impact in the base score.

The medium score understates operational risk. Arbitrary file overwrite is a well-known stepping stone to full OS compromise. An attacker who can write to paths such as /etc/cron.d/, SSH authorized_keys, or init scripts can move from a low-privileged web UI account to an unauthenticated root shell on the SD-WAN Manager host - a device that holds policy, credentials, and topology data for an entire SD-WAN fabric.

---

Is it being exploited?

Yes. CISA added CVE-2026-20262 to the Known Exploited Vulnerabilities catalog with a federal agency remediation deadline of 2026-06-29. Inclusion in the KEV catalog requires evidence of active exploitation, not just theoretical risk. Non-federal organizations should treat this deadline as a strong industry benchmark rather than an irrelevant government mandate.

---

How to fix and mitigate it

1. Apply the vendor patch. Consult the Cisco Security Advisory (cisco-sa-sdwan-arbfw-c2rZvQ) for the exact fixed release applicable to your deployment. Do not rely on any third-party version number - go directly to the advisory.

2. Restrict network access to the SD-WAN Manager web UI. Place the management interface behind a VPN or zero-trust access gateway so only authorized operator workstations can reach the API endpoints.

   # Example: iptables rule to restrict SD-WAN Manager UI port to a management subnet
   iptables -A INPUT -p tcp --dport 8443 -s 10.0.0.0/24 -j ACCEPT
   iptables -A INPUT -p tcp --dport 8443 -j DROP
   

3. Audit and trim user accounts. Because exploitation requires at least a low-privileged account, remove stale, shared, or overly broad SD-WAN Manager accounts. Apply the principle of least privilege to all operator roles.

4. Enable multi-factor authentication (MFA) on the SD-WAN Manager login to raise the bar for credential-based exploitation even if a password is leaked.

5. Monitor file integrity. Deploy a file integrity monitoring (FIM) tool on the SD-WAN Manager host to alert on unexpected writes to sensitive paths (/etc/cron*, /root/.ssh/, /etc/sudoers, service unit files).

---

How to detect exposure

• Version check: Log in to SD-WAN Manager and navigate to Administration > Software Repository or run the CLI command below to confirm whether a patched version is installed. Compare against the Cisco advisory's fixed-release table.

  show version
  # or on older vManage CLI:
  vmanage# show system status | include Version
  

• Web server access logs: Search for HTTP POST or PUT requests to file upload API endpoints (/dataservice/, /template/, /device/) from accounts that do not normally upload files, especially those with single-task roles.

  grep -E 'POST|PUT' /var/log/ncswebui_access.log | grep -v '200' | tail -200
  

• File integrity alerts: Check whether unexpected files have appeared in /etc/cron.d/, /root/.ssh/authorized_keys, or other privileged paths since the vulnerability was published (2026-06-15).

• SIEM / EDR correlation: Create a detection rule correlating SD-WAN Manager API authentication events from low-privileged accounts with subsequent OS-level file creation or modification events on the same host.

---

Frequently asked questions

Does an attacker need admin credentials to exploit CVE-2026-20262?

No. The attacker only needs a valid low-privileged, single-task user account. Because the privilege bar is low, any compromised or leaked SD-WAN Manager credential could be enough to trigger the file-write and begin a path toward root escalation.

Can CVE-2026-20262 directly execute code, or does it require a second step?

The vulnerability itself writes or overwrites arbitrary files. Code execution or root-level access requires a follow-on step - for example, overwriting a cron job, an SSHD authorized_keys file, or a sudoers entry. The initial CVSS score reflects the file-write impact, not a direct remote code execution primitive.

Is CVE-2026-20262 being actively exploited in the wild?

Yes. CISA added CVE-2026-20262 to its Known Exploited Vulnerabilities catalog with a federal remediation deadline of 2026-06-29, confirming active exploitation. All organizations running Cisco Catalyst SD-WAN Manager should treat patching as urgent, not discretionary.

What is the difference between Cisco Catalyst SD-WAN Manager and the older vManage name?

Cisco rebranded SD-WAN vManage as Cisco Catalyst SD-WAN Manager as part of its Catalyst networking portfolio consolidation. The product function - centralized SD-WAN policy, orchestration, and monitoring - is the same. Both names refer to the same vulnerable software family.