~/f4n6 $ grep -r "Cisco SD-WAN make-me-root bug under attack" ./investigations/ --include="*.md"

Cisco SD-WAN make-me-root bug under attack

Jeff Davies 16 Jun 2026 6 min read

1. Executive summary

Cisco has released a fix for CVE-2026-20262, a file-upload input-validation flaw in the web UI of Cisco Catalyst SD-WAN Manager that allows an authenticated low-privileged user to write arbitrary files to the underlying OS and chain that into root. Cisco PSIRT has confirmed limited in-the-wild exploitation in June 2026, and CISA has added the CVE to the Known Exploited Vulnerabilities (KEV) catalog with a two-week federal patching deadline. There are no workarounds; remediation requires upgrading to a fixed software release. For EMEA financial services firms running Catalyst SD-WAN Manager, the bottom-line risk is a low-effort path from any compromised SD-WAN user account to full root on the management plane — a high-impact foothold for lateral movement into branch and data-centre estates.

2. Regulatory framing

Article Trigger (fact in this item) Practical impact
DORA Art. 17 (ICT-related incident management process) CISA KEV listing confirms active exploitation of an ICT component supporting critical operations Activate the documented ICT incident management process; record detection, triage and remediation evidence
DORA Art. 18 (classification of ICT-related incidents and cyber threats) Active exploitation of a management-plane component constitutes a classifiable ICT-related incident and cyber threat Classify the event against the internal taxonomy before further action; retain classification rationale
DORA Art. 19 (reporting of major ICT-related incidents to competent authorities) A successful exploit yields root on the SD-WAN Manager, which may qualify as a major ICT-related incident depending on operational impact If exploitation is confirmed in your environment, assess against major-incident thresholds and report to the competent authority within the prescribed window
DORA Art. 28 (ICT third-party risk — general principles) Cisco is an ICT third-party provider; the vulnerability sits in vendor-supplied software Re-evaluate Cisco SD-WAN risk entry; confirm vendor patch SLA performance and notification adequacy
DORA Art. 29 (preliminary assessment of ICT concentration risk) Cisco SD-WAN Manager is a single-vendor management plane; concentration risk is plausible Assess whether SD-WAN represents a concentration risk and document the assessment
DORA Art. 30 (key contractual provisions with ICT third-party providers) Patch delivery and vulnerability disclosure obligations are engaged Verify Cisco contract covers emergency patching, notification and audit rights for this class of flaw
NIS2 Art. 21(2)(d) (supply chain security measures) The vulnerable component is supplied by Cisco as part of the SD-WAN supply chain Apply supply-chain security measures covering Cisco SD-WAN Manager; verify vendor patch integrity
NIS2 Art. 23 (incident reporting obligations) Active exploitation may constitute a reportable incident with significant impact If exploitation is confirmed, follow early-warning / incident-notification timelines
UK NIS 2018 (OES/RDSP duties) UK-regulated OES/RDSP entities operating Catalyst SD-WAN Manager fall in scope Ensure patching and incident-handling duties under the Regulations are met

3. Technical analysis & attack chain

Vulnerability mechanism (CVE-2026-20262). Improper validation of user-supplied input during a file-upload process in the web UI of Cisco Catalyst SD-WAN Manager. The flaw is reachable via a crafted HTTP request to an affected API endpoint. A successful exploit allows the attacker to create or overwrite any file on the underlying operating system; that file can subsequently be used to elevate to root.

Privilege precondition. Exploitation requires valid credentials with at least a lower-privileged, single-task user account on the SD-WAN Manager. The flaw is not reachable anonymously.

Scope. All deployment types are affected regardless of device configuration. There are no workarounds.

Related context — CVE-2026-20245. A separate high-severity Catalyst SD-WAN Manager vulnerability (CVSS 7.8 HIGH, IN CISA KEV, EPSS 1%, CWE-116) was disclosed by Cisco on 4 June 2026 with no fix available at disclosure; patches for all affected versions were released on 12 June 2026. This is the eighth Cisco SD-WAN bug listed in CISA KEV in 2026.

Attack chain (confirmed steps)

  1. Initial access — credential acquisition. Attacker obtains valid SD-WAN Manager credentials for a low-privileged, single-task user account (e.g. via phishing, credential reuse, infostealer logs, or prior compromise).
  2. Authenticated session establishment. Attacker authenticates to the Catalyst SD-WAN Manager web UI / API endpoint over HTTPS using the stolen credentials.
  3. Exploitation — crafted HTTP request. Attacker submits a crafted HTTP request to the affected API endpoint, abusing the file-upload process to bypass input validation.
  4. Arbitrary file write. The vulnerable component creates or overwrites an arbitrary file on the underlying OS of the SD-WAN Manager.
  5. Privilege escalation to root. The written file is leveraged to elevate from the low-privileged SD-WAN user to root on the SD-WAN Manager host.
  6. Post-exploitation. With root on the management plane, the attacker can pivot to managed SD-WAN edges, alter policy/control plane state, and stage further lateral movement into branch and data-centre networks.

Unconfirmed / single-sourced claims

The source describes exploitation as "limited" but does not name a threat actor, sector targeting, or specific payload. No MITRE ATT&CK profile is provided for any actor associated with this CVE; attribution is therefore unconfirmed. The source also does not specify which fixed software release resolves the flaw — operators must consult Cisco's advisory directly to identify the correct target version for their deployment.

4. Mitigation & containment

P1 — within 24 hours

  • Identify exposure. Inventory every Cisco Catalyst SD-WAN Manager instance (appliance and virtual) and the software version in use. Cross-reference against Cisco's published fixed releases.
  • Restrict web UI / API access. Until patched, restrict the SD-WAN Manager web UI and API endpoints to a tightly controlled jump-host subnet via firewall ACLs; deny direct internet exposure.
  • Enforce credential hygiene. Force a password reset for all SD-WAN Manager user accounts; rotate any shared service credentials and API tokens; revoke and reissue any long-lived API keys.
  • Audit low-privileged accounts. Review all accounts holding the "single-task user" role and any service accounts; disable unused or stale entries.
  • Enable enhanced logging. Ensure HTTPS access logs, file-system write events, and authentication events on the SD-WAN Manager are forwarded to SIEM with sufficient retention.

P2 — within 72 hours

  • Patch. Upgrade to the Cisco-fixed software release for your deployment. There is no workaround; patching is the only remediation path.
  • Validate integrity post-patch. Confirm the upgrade completed cleanly and that no unexpected files remain in SD-WAN Manager OS paths (compare against a known-good baseline where available).
  • Threat hunt. Hunt for indicators of the attack chain: anomalous HTTP requests to SD-WAN Manager API endpoints from non-jump-host sources, unexpected file mtimes in OS directories, and new or modified files outside the expected SD-WAN Manager data tree.

P3 — within 7 days

  • Concentration-risk review. Assess whether Cisco SD-WAN Manager represents an ICT concentration risk under DORA Art. 29 and document the outcome.
  • Vendor risk review. Confirm Cisco's contractual patch-delivery and notification performance against DORA Art. 30 expectations; raise findings with procurement and third-party risk owners.
  • Tabletop / resilience test. Validate that the SD-WAN Manager can be isolated and recovered from a clean image without disrupting branch connectivity; rehearse failover to a backup management plane if available.

5. Indicators of compromise

No indicators of compromise (file hashes, IPs, domains, filenames, mutexes, registry keys, or distinctive strings) are present in the source material. The source confirms exploitation occurred but does not publish any technical IoCs.

(no indicators available in source material)

6. Detection

Insufficient indicators to author a YARA rule from this source material. A Sigma rule is provided below based on the confirmed attack vector (crafted HTTP request to the SD-WAN Manager API file-upload endpoint).

title: Cisco SD-WAN Manager — Suspicious File Upload to API Endpoint
id: AT-2026-06-16-111-001
status: experimental
description: |
  Detects HTTP requests to Cisco Catalyst SD-WAN Manager API endpoints that
  target the file-upload process. Associated with CVE-2026-20262 exploitation.
author: Adverse Trace
date: 2026-06-16
references:

  - https://www.theregister.com/patches/2026/06/15/cisco-sd-wan-make-me-root-bug-under-attack/5255916
logsource:
  product: webserver
  category: access
detection:
  selection_request:
    cs-uri-path|contains:

      - "/api/"
      - "/sdwan/"
    request_method: POST
  selection_upload:
    cs-uri-path|contains:

      - "upload"
      - "file"
  condition: selection_request and selection_upload
fields:

  - c-ip
  - cs-uri-stem
  - cs-user-agent
falsepositives:

  - Legitimate administrative file uploads from known jump-hosts
level: high
tags:

  - attack.initial_access
  - attack.t1190
  - cve.2026.20262

CVE assessment

2 referenced CVEs — 2 actively exploited (CISA KEV)

CVE CVSS Exploited EPSS Summary
CVE-2026-20245 7.8 High ⚠ KEV 2026-06-09 1% A vulnerability in the CLI of Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly…
CVE-2026-20262 6.5 Medium ⚠ KEV 2026-06-15 A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote a…

7. Sources

  • The Register — "Cisco SD-WAN make-me-root bug under attack" — https://www.theregister.com/patches/2026/06/15/cisco-sd-wan-make-me-root-bug-under-attack/5255916 — 2026-06-15

8. Adverse Trace position

Severity: CVSS 6.5 (MEDIUM) per authoritative reference, but the operational severity is materially higher because (a) CISA KEV confirms active exploitation, (b) the post-authentication bar is low and easily cleared with commodity credentials, and (c) a successful exploit yields root on the SD-WAN management plane — a strategic foothold rather than a single-host compromise. Client impact: any EMEA financial services firm running Catalyst SD-WAN Manager is potentially exposed; the management plane is in-scope for DORA, and OES/RDSP entities under UK NIS 2018 have explicit duties to patch. Next steps: Adverse Trace will (1) monitor Cisco's advisory for the named fixed software release and update this note, (2) track any further CISA KEV additions for the related CVE-2026-20245 chain, and (3) assist clients with exposure validation, threat hunting across SD-WAN Manager logs, and DORA/NIS2 reporting evidence packs if exploitation is confirmed in their environment.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies