Emerging Threats

Cisco Patches SD-WAN Flaw Exploited in Zero-Day Attacks

Analyst 207||Source: BleepingComputer
Network management system interface on a laptop screen in a modern office space.

CVE-2026-20262 was exploited in attacks that escalated to root privileges, and Cisco has released security updates to fix the flaw in its Catalyst SD‑WAN Manager, the company said.

CVE-2026-20262: what Cisco says the flaw allows

Cisco tracked the issue as CVE-2026-20262 and said the vulnerability stems from "insufficient validation of user-supplied input during file uploads." In a Monday advisory, the vendor wrote: "A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system."

Cisco continued: "An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root." The company reported it had released security updates to address the flaw and that its Product Security Incident Response Team (PSIRT) became aware of exploitation earlier this month.

Who and what is affected

The flaw affects Catalyst SD‑WAN Manager — formerly called SD‑WAN vManage — across all deployment types and device configurations. Cisco listed on‑premises deployments, Cisco SD‑WAN Cloud‑Pro, Cisco SD‑WAN Cloud (Cisco Managed), and Cisco SD‑WAN for Government (FedRAMP) as impacted. The product is used to manage up to 6,000 SD‑WAN devices from a single dashboard, according to Cisco's materials.

Where this sits in a string of active flaws

Cisco's advisory comes amid a string of recent, actively exploited vulnerabilities in its SD‑WAN products. In February the company patched a Catalyst SD‑WAN Manager information disclosure flaw (CVE-2026-20133) flagged as actively exploited in late April; two weeks after that it warned of two more flaws (CVE-2026-20128 and CVE-2026-20122) that were abused in the wild. Last month Cisco tagged a maximum‑severity Catalyst SD‑WAN Controller authentication‑bypass flaw (CVE-2026-20182) as actively exploited as a zero‑day to gain admin privileges on unpatched devices. In early June it warned of another unpatched Catalyst SD‑WAN Manager zero‑day (CVE-2026-20245) that was exploited to gain root privileges.

Separately, the advisory notes that the Cybersecurity and Infrastructure Security Agency (CISA) has tagged 91 Cisco vulnerabilities as abused in the wild, five of them in Catalyst SD‑WAN Manager and six others exploited in ransomware attacks.

Indicators of compromise and Cisco's guidance

While Cisco did not publish detailed descriptions of the individual attacks, it provided indicators of compromise (IOCs) and a concrete log‑checking suggestion. Administrators were warned to check SD‑WAN vmanage‑server, vmanage‑appserver, and serviceproxy‑access logs for attempts to upload index.jsp and .war files. Cisco said PSIRT "strongly" advised customers to patch their systems and released security updates to remediate CVE‑2026‑20262.

What this means for technologists, enterprises, and regulators

  • Technologists and security teams: Cisco's IOCs point to specific log locations and file names (index.jsp and .war) to review; the vendor's advisory also categorizes the issue as a zero‑day that was exploited to gain root privileges and recommends applying the supplied updates.
  • Affected enterprises and procurement leaders: The flaw reaches all deployment options, including Cisco Managed Cloud and FedRAMP offerings, underscoring that both on‑prem and managed customers are in scope for remediation.
  • Regulators and defenders (CISA): The advisory sits within a recent pattern CISA has tracked — 91 Cisco vulnerabilities marked as abused in the wild, with multiple entries tied to Catalyst SD‑WAN Manager and ransomware cases — which continues to shape public‑sector attention to SD‑WAN security.

Two final, concrete points emerge from Cisco's advisory: the company has released patches and PSIRT is urging immediate application of those updates; and Cisco provided narrow IOCs for log checks even as it declined to publish fuller details of the active exploits. The balance for operators is therefore clear in the advisory's terms — apply the supplied updates and search the named logs for the specified file upload attempts — while the wider scale and actors behind the exploitation remain unreported in the advisory.

Source: https://www.bleepingcomputer.com/news/security/cisco-fixes-sd-wan-vmanage-flaw-exploited-in-zero-day-attacks/

CiscoEmerging ThreatsNetwork SecurityPrivilege EscalationRemote Code ExecutionSupply ChainZero-DaySD-WANCVE-2026-20262
Related Intelligence

Continue Reading

Medical staff walk down a hospital corridor with a computer in the background.

China-linked UNC6508 Targets Medical Research Institutions

A sophisticated cyber threat group linked to China, known as UNC6508, has launched a targeted attack on medical research institutions in North America, exploiting vulnerabilities in REDCap servers to gain a foothold. The intrusions, which began in September 2023, aim to compromise sensitive research data.

Analyst 207
Server room with rows of blinking equipment, indicating a compromised network setup.

OptinMonster Plugin Compromised in Supply-Chain Attack

A critical security breach has hit the popular OptinMonster plugin, used by over 1.2 million websites, which delivered malicious JavaScript to unsuspecting users via a compromised content distribution network. The attack, detected by ecommerce security firm Sansec, injected harmful code into websites for a brief but perilous window of time.

Analyst 207
Government office interior with computer screen displaying abstract database representation.

ShinyHunters Breach Council of Europe in Oracle PeopleSoft Heist

The Council of Europe has fallen victim to a massive data breach, with hackers claiming to have stolen a whopping 297 GB of sensitive information, including HR records, payslips, and medical data, by exploiting a zero-day flaw in Oracle PeopleSoft. The ShinyHunters extortion group is behind the breach, boasting a haul of 429,000 files from the attack.

Analyst 207
Bustling Adriatic port with cargo yard and trucks, foreground shows blurred computer system.

Anubis Ransomware Targets Adriatic Port, Exposes Maritime Security Gaps

A ransomware attack by the Anubis group on the Adriatic Port Authority exposed significant gaps in maritime security, putting sensitive employee records and critical infrastructure at risk. The breach, which occurred on December 11, 2025, resulted in the loss of around 2% of the authority's data, with some information making its way to the dark web.

Analyst 207