Emerging Threats

Cisco Disrupts Active Exploitation of SD-WAN Manager Flaw

Analyst 207||Source: TheHackerNews
Technician in a network operations room checking equipment surrounding a central router.

CVE-2026-20262 — a medium-severity flaw in Cisco Catalyst SD-WAN Manager with a CVSS score of 6.5 — has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, triggering a June 29, 2026 remediation deadline for Federal Civilian Executive Branch agencies.

What CVE-2026-20262 is and how it works

Cisco’s advisory describes the flaw as a vulnerability in the web UI of Cisco Catalyst SD-WAN Manager that "could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system." The issue stems from inadequate validation of user-supplied input during a file upload process. According to Cisco, an attacker can send crafted HTTP requests to a vulnerable API endpoint to create or overwrite arbitrary files on the underlying operating system; that behavior "could be weaponized to elevate to the root." Successful exploitation, Cisco adds, requires the attacker to already possess valid credentials with at least write access.

Products affected and patches released

The vulnerability impacts multiple Catalyst SD‑WAN Manager deployments regardless of deployment type, including:

  • Cisco Catalyst SD-WAN Manager On-Prem
  • Cisco SD-WAN Cloud-Pro
  • Cisco SD-WAN Cloud (Cisco Managed)
  • Cisco SD-WAN for Government (FedRAMP)

Cisco has published fixes across its release lines. Affected and fixed releases listed in the advisory are:

  • Release 20.9.9.1 and earlier — fixed in 20.9.9.2
  • Release 20.12.7.1 and earlier — fixed in 20.12.7.2
  • Release 20.15.4.4 and earlier — fixed in 20.15.4.5
  • Release 20.15.5.2 and earlier — fixed in 20.15.5.3
  • Release 20.18.3 — fixed in 20.18.3.1
  • Release 26.1.1.1 and earlier — fixed in 26.1.1.2

Cisco's indicators of compromise and log signatures

Cisco said it "became aware of limited exploitation of this vulnerability" in June 2026 and published indicators of compromise tied to the malicious activity. The company urged customers to audit the vManage server log at /var/log/nms/vmanage-server.log for suspicious WAR file uploads and provided an example entry:

11-June-2026 03:53:37,310 EDT INFO [a66cdc5f-807d-4c23-944e-5c809a2ece6b] [server] [SdraAnyConnectFileUploadHandler] (default task-40704) |default| uploaded Remote Access Anyconnect profile file: ../../../../var/lib/wildfly/standalone/deployments/suspicious.war to vManage.

Other follow-on activity Cisco cited includes an application-server deployment log and service-proxy access attempts. Examples the vendor published are:

/var/log/nms/vmanage-appserver.log: 11-June-2026 07:52:55,275 UTC INFO [server] (DeploymentScanner-threads - 2) WFLYSRV0010: Deployed "suspicious.war" (runtime-name : "suspicious.war")

/var/log/nms/containers/service-proxy/serviceproxy-access.log: [2026-06-11T07:57:33.635Z] "POST /suspicious/index.jsp HTTP/1.1" 200 - 267 76 17 - "1.1.1.54" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0" "d7336b83-422b-4000-93e1-0296f102bbed" "1.1.1.4:8443" "127.0.0.1:8080"

Cisco warned that these indicators "may not consistently appear" in every incident log, but listed them as observable signs of attempts to deploy malicious code and interact with it.

The exploit in context: the eighth actively exploited SD‑WAN flaw this year and UAT-8616

CVE-2026-20262 is the eighth Cisco SD-WAN security flaw flagged as actively exploited in 2026, following CVE-2026-20245, CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, and CVE-2022-20775. Cisco reported that exploitation of some of these earlier flaws has been attributed to an advanced persistent threat actor named UAT-8616.

What this means for federal agencies, network operators, and security teams

Federal Civilian Executive Branch agencies face a defined remediation deadline: CISA’s listing in the Known Exploited Vulnerabilities catalog requires affected FCEB agencies to apply the fixes by June 29, 2026. Cisco has released patched builds across multiple release lines that correspond to the affected releases, and has published log-based indicators of compromise for customers to audit.

Network operators running any of the named Catalyst SD‑WAN Manager variants must match their installed release to Cisco’s fix list and deploy the corresponding updated build. Security teams that manage vManage installations are being pointed to specific log locations — notably /var/log/nms/vmanage-server.log, /var/log/nms/vmanage-appserver.log, and the service-proxy access log — to look for the published signatures of suspicious WAR uploads and post-deployment interactions.

With a confirmed attack vector that requires authenticated write access and patched releases already available, the immediate tasks identified in the advisory are straightforward: align installed releases to the fixed builds, inspect the cited logs for the supplied indicators, and meet the CISA-directed deadline where it applies. Whether organizations meet that timeline will determine their exposure to the limited exploitation Cisco reported in June 2026 and to follow‑on activity that the company documented.

Source: The Hacker News — Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw

CisaCiscoEmerging ThreatsNation-StateNetwork SecurityVulnerability ManagementKnown Exploited VulnerabilitiesSD-WANFederal Civilian Executive BranchCVE-2026-20262
Related Intelligence

Continue Reading

Concerned office worker or home user sits at desk, scrutinizing laptop screen with a wary expression.

ScarCruft Targets Microsoft Users with NarwhalRAT Malware

Beware of fake Microsoft account alerts! A sneaky North Korean hacking group, ScarCruft, is sending phishing emails that mimic Microsoft security notifications to trick you into downloading the NarwhalRAT malware.

Analyst 207
Concerned older adult holding cash in a bank lobby with blurred ATM screen.

FBI Warns of Courier Cash Scams Fueling Crypto Investment Fraud

Beware of scammers who are using couriers to collect cash from victims, often under the guise of required investments or fines to withdraw from a fake crypto investment firm. The FBI warns that these scammers will instruct victims to hand over cash to a courier, often using verification tactics like sharing a dollar bill serial number or password to gain trust.

Analyst 207
Server room with rows of equipment and a single cPanel interface on a monitor.

CISA Warns of LiteSpeed cPanel Plugin Flaw Exploited for Root Access

A critical vulnerability in the LiteSpeed cPanel Plugin, known as CVE-2026-54420, has been flagged by CISA for its high risk of exploitation, with a CVSS score of 8.5, and federal agencies have until June 18, 2026, to apply the necessary fix. This flaw allows for privilege escalation and has been added to the Known Exploited Vulnerabilities catalog, requiring swift action to prevent potential root access attacks.

Analyst 207
Cardiac monitor on a hospital bedside table with a faint shadow of a hacker in the background.

iRhythm Breach Exposes Patient Data in Cardiac Monitoring Hack

A recent data breach at iRhythm exposed sensitive patient information, compromising personal and health data from over 12 million patients whose heartbeat data was analyzed through the company's cardiac monitoring service. The breach was discovered after a ransomware-style intrusion hit third-party business applications used by iRhythm.

Analyst 207