"An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system," the vendor warned in a Monday security advisory.
CVE-2026-20262: file‑upload validation bug in Catalyst SD‑WAN Manager
Cisco has issued a fix for a vulnerability, tracked as CVE-2026-20262, in the web UI of Catalyst SD‑WAN Manager. According to Cisco’s advisory, the software fails to properly validate user-supplied input during a file upload process. That weakness allows a crafted HTTP request to an affected API endpoint to create or overwrite any file on the underlying operating system; that file can later be used to elevate privileges to root.
Exploit activity and Cisco PSIRT notice
The vendor and U.S. federal authorities say the flaw is not purely theoretical. "In June 2026, the Cisco PSIRT became aware of limited exploitation of this vulnerability," the security alert said, and Cisco "continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability." Cisco also noted that the flaw affects all deployment types, regardless of device configuration, and that there are no workarounds — only upgrading to a fixed software version will patch the issue.
Caveat: credentials required, but attacks are already occurring
Cisco’s advisory clarifies an important exploitation prerequisite: an attacker must possess valid credentials with at least a lower‑privileged, single‑task user account to exploit the file‑upload bug. That requirement likely informed the vulnerability’s medium, 6.8 CVSS rating. Still, the reporting observed that "valid credentials aren’t hard to come by these days," and the presence of active exploitation confirms attackers have had some success.
CISA response: Known Exploited Vulnerabilities catalog entry and a two‑week federal deadline
On Monday, the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-20262 to its Known Exploited Vulnerabilities catalog, citing "evidence of active exploitation." CISA also set a two‑week deadline for all federal agencies to apply the patch for this bug.
CVE‑2026‑20262 in context: recent Catalyst SD‑WAN advisories and patches
This incident follows closely on another SD‑WAN issue. Less than two weeks earlier, Switchzilla warned that a high‑severity vulnerability in Catalyst SD‑WAN Manager, CVE-2026-20245, was under active exploitation and initially did not have a fix. Cisco issued an advisory for that zero‑day on June 4 and released patches for all affected versions on June 12. CVE-2026-20262 is the eighth Cisco SD‑WAN bug to be listed in CISA’s Known Exploited Vulnerabilities catalog so far this year.
What this means for technologists, federal agencies, and enterprise operators
- Technologists and security teams: Cisco recommends upgrading to a fixed software release; Cisco’s advisory states there are no workarounds. Teams will need to prioritize timely upgrades for Catalyst SD‑WAN Manager instances because the vulnerability permits file creation or overwriting that can lead to root escalation.
- Federal agencies: CISA’s addition of CVE-2026-20262 to the Known Exploited Vulnerabilities catalog comes with a mandatory two‑week remediation window for federal civilian agencies to apply the patch.
- Enterprise operators and procurement leaders: The rapid sequence of SD‑WAN advisories and active exploitation — including CVE-2026-20245 earlier in June and now CVE-2026-20262 — underscores the need to track vendor advisories closely and deploy fixes promptly when no workaround exists.
Cisco’s patch for CVE-2026-20262 is the single mitigation the vendor and federal authorities are pointing to; with evidence of exploitation already, the practical next step for affected organizations is to upgrade as advised and to assume that any unpatched instance of Catalyst SD‑WAN Manager may already be a target.
