MediumCISA KEVExploited in the wildPublic exploit

Arbitrary File Write in Cisco Catalyst SD-WAN Manager Web UI

IdentifiersCVE-2026-20262CWE-73

CVE-2026-20262 is an arbitrary file write vulnerability in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). The issue is caused by insufficient validation of user-supplied input during a file upload process in an affected API endpoint. An authenticated remote attacker can send crafted HTTP requests to that endpoint to create or overwrite arbitrary files on the underlying filesystem. Cisco states that valid credentials are required, and that even a low-privileged single-task user account is sufficient. The vulnerability affects all deployment types regardless of configuration, including on-premises, Cloud-Pro, Cisco-managed cloud, and FedRAMP deployments. Cisco has also stated that the written file can subsequently be leveraged to escalate privileges to root, and reporting indicates exploitation in the wild in June 2026.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated attacker to write or overwrite arbitrary files on the target system. Because the attacker can place files on the underlying operating system, the flaw can be used as a stepping stone to root privilege escalation and, in observed reporting, arbitrary command execution as root. In practical terms, compromise of SD-WAN Manager can expose the management plane of the SD-WAN environment, enabling full administrative compromise of the appliance and potentially broader operational impact across managed infrastructure.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the SD-WAN Manager web UI and vulnerable API endpoints, especially from untrusted or internet-reachable networks; restrict access to trusted administrative networks only; minimize and review low-privilege accounts because a single-task account is sufficient for exploitation; and monitor for indicators of compromise in vmanage-server, vmanage-appserver, and serviceproxy-access logs. Reported indicators include attempts to upload index.jsp files, .war files, and a rogue suspicious.war followed by requests to a planted web page. If compromise is suspected, perform incident response and collect relevant support and forensic artifacts for Cisco TAC review.

Remediation

Patch, then assume compromise.

Upgrade Cisco Catalyst SD-WAN Manager to a fixed release. Reported fixed versions include 20.9.9.2 for affected 20.9.x releases, 20.12.7.2 for affected 20.12.x releases, 20.15.4.5 for affected 20.15.4.x releases, 20.15.5.3 for affected 20.15.5.x releases, 20.18.3.1 for release 20.18.3, and 26.1.1.2 for affected 26.1.1.1 releases. Cisco strongly advised customers to patch affected systems due to active exploitation.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

security online infoNews

Jun 15, 2026

Cisco SD-WAN Vulnerability Exploited: CVE-2026-20262

An authenticated remote arbitrary file write vulnerability in the web UI of Cisco Catalyst SD-WAN Manager (formerly vManage) caused by improper validation of user-supplied input during file upload, allowing attackers to create or overwrite files and potentially escalate to root.

bleeping computerNews

Jun 15, 2026

Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks

A Cisco Catalyst SD-WAN Manager vulnerability caused by insufficient validation of user-supplied input during file uploads, allowing an authenticated remote attacker to create or overwrite files and ultimately escalate to root privileges.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity16

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-20262

NVD

nvd.nist.gov/vuln/detail/CVE-2026-20262

MITRE CWE · CWE-73

cwe.mitre.org

sec.cloudapps.cisco.com

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ