CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability

1. Executive summary

CVE-2026-20262 is a directory/path traversal vulnerability (CWE-22) in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage), the management plane for the Cisco SD-WAN fabric. An authenticated, remote attacker with valid credentials — at minimum a lower-privileged, single-task user account — can send a crafted HTTP request to an affected API endpoint during the file upload process and create or overwrite any file on the underlying operating system; the resulting file can subsequently be used to elevate to root. The vulnerability is in CISA's Known Exploited Vulnerabilities catalog (added 2026-06-15, due date 2026-06-29) and is the second Cisco SD-WAN Manager flaw observed under active exploitation within two weeks. CVSS 3.1 base score is 6.5 (MEDIUM); vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. Bottom-line risk to EMEA financial services: any organisation running an internet-exposed or unpatched Catalyst SD-WAN Manager instance must treat this as a P1 patch item and assume pre-authentication compromise is possible only with valid credentials, but post-compromise root is straightforward.

2. Regulatory framing

Article	Trigger	Practical impact
DORA Art. 17 (ICT-related incident management process)	Vulnerability is in CISA KEV with active exploitation observed by Cisco PSIRT	Trigger and run the documented ICT-related incident management process for any SD-WAN Manager instance; preserve forensic artefacts per CISA "Forensics Triage Requirements".
DORA Art. 18 (classification of ICT-related incidents and cyber threats)	Active exploitation of an authenticated remote file-write primitive that can lead to root	Classify any observed exploitation under the firm's ICT-related incident classification taxonomy; treat root-on-management-plane as a critical-severity cyber threat.
DORA Art. 19 (reporting of major ICT-related incidents to competent authorities)	Successful exploitation on a production SD-WAN fabric controlling financial-services traffic would constitute a major ICT-related incident	Pre-stage reporting templates and competent-authority contact paths now; report confirmed compromises within the prescribed window.
DORA Art. 24 (digital operational resilience testing — general requirements)	Patching and configuration hardening of a critical management plane is a baseline resilience control	Include SD-WAN Manager patching in the next testing cycle; verify patch effectiveness via post-change validation.
DORA Art. 28 (ICT third-party risk — general principles)	Cisco is a third-party ICT provider; the vulnerability affects vendor-supplied software	Re-evaluate third-party risk entries for Cisco SD-WAN; confirm vendor patch SLAs and contractual notification obligations.
DORA Art. 29 (preliminary assessment of ICT concentration risk)	SD-WAN Manager is a single management plane for the entire SD-WAN fabric	Assess whether the firm has concentration on Cisco SD-WAN Manager and document compensating controls if patching is delayed.
DORA Art. 30 (key contractual provisions with ICT third-party providers)	Vendor has issued a security fix; contractual right-to-patch and audit clauses apply	Invoke vendor patch obligations; document any deviation from recommended patching timeline.
NIS2 Art. 21(2)(d) (supply chain security measures)	Cisco is part of the ICT supply chain; the vulnerability affects a managed service component	Apply supply-chain security measures: verify patch provenance, restrict management-plane access, audit SD-WAN Manager instances.
NIS2 Art. 23 (incident reporting obligations)	Active exploitation with potential for root on management plane	Establish early-warning indicators and incident-reporting timelines for any confirmed exploitation.
UK NIS 2018 (OES/RDSP duties)	SD-WAN Manager underpins network operations for OES/RDSP entities	Ensure OES/RDSP entities apply the CISA-required action and BOD 26-04 guidance; document compliance for the relevant competent authority.

3. Technical analysis & attack chain

Reconnaissance and credential acquisition. Attacker obtains or possesses valid credentials for the SD-WAN Manager web UI — minimum a lower-privileged, single-task user account. Sources do not specify how credentials are obtained; this may be via prior compromise, credential reuse, or social engineering.
Authenticated session establishment. Attacker authenticates to the Catalyst SD-WAN Manager web UI / API endpoint over HTTPS.
Crafted HTTP request to file upload API. Attacker sends a crafted HTTP request to the affected API endpoint handling the file upload process. The request contains path-traversal sequences (e.g., ../) in user-supplied input that the software fails to validate.
Arbitrary file creation or overwrite. The vulnerable code path writes the uploaded content to a path resolved using the attacker-controlled input, allowing creation or overwrite of any file on the underlying operating system filesystem.
Privilege escalation to root. The created/overwritten file is subsequently used to elevate privileges to root on the SD-WAN Manager host. The NVD description states: "This file could later be used to elevate to root."
Post-exploitation. With root on the management plane, the attacker controls the entire SD-WAN fabric — configuration changes, tunnel manipulation, telemetry exfiltration, and pivot into the underlying network.

Vulnerability mechanism. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory / Path Traversal). Root cause: the file upload process does not properly validate user-supplied input before using it in a filesystem path. CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N reflects network attack vector, low complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, no availability impact.

Authentication requirement. Exploitation requires valid credentials with at least a lower-privileged, single-task user account. This is not an unauthenticated bypass (contrast with CVE-2026-20182, which is an unauthenticated authentication bypass on the SD-WAN Controller & Manager).

Scope of impact. The vulnerability affects the web UI of Cisco Catalyst SD-WAN Manager. Deployment types known to be affected include on-premises deployments; cloud-hosted variants (Cisco SD-WAN Cloud, Cloud-Pro, Managed) and government/FedRAMP deployments may also be in scope per Cisco's broader SD-WAN advisories — verify against Cisco's official advisory for exact affected versions and fixed software releases.

Unconfirmed / single-sourced claims. SecurityWeek characterises CVE-2026-20262 as a "zero-day" and Help Net Security notes the Cisco advisory states the vulnerability "was found during internal security testing", raising the question of how attackers came to exploit it before public disclosure. The exact exploitation mechanism observed in the wild, the threat actor, and any associated malware or infrastructure have not been disclosed in the available sources. No MITRE ATT&CK profile has been published for any actor exploiting this CVE; attribution is therefore unconfirmed.

4. Mitigation & containment

P1 — within 24 hours

Identify all instances. Enumerate every Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) instance in the estate, including on-premises, cloud-hosted, and managed-service deployments. Confirm software version against Cisco's official advisory.
Restrict management-plane access. If a vendor patch is not yet deployable, restrict the SD-WAN Manager web UI/API to a bastion/jump host with MFA; block direct internet exposure at the perimeter firewall and any cloud security group. Disable the management web UI on instances that cannot be patched immediately if operationally feasible.
Credential audit. Force rotation of all SD-WAN Manager user accounts, especially lower-privileged and service accounts; review authentication logs for anomalous logons since the CISA KEV addition date (2026-06-15) and back to a reasonable lookback.
Forensic triage. Capture volatile memory and filesystem images of any SD-WAN Manager instance with suspected exposure; preserve web server access logs, authentication logs, and any file-upload audit trails per CISA "Forensics Triage Requirements".

P2 — within 72 hours

Apply vendor fix. Install the Cisco-fixed software release per Cisco's security advisory. Verify the patched version is recorded in configuration management.
Integrity check. Compare critical filesystem paths (e.g., /etc/passwd, /etc/shadow, systemd unit drop-ins, cron/spool paths, sudoers) against known-good baselines; investigate any unexpected files or modifications.
Hunt. Search for indicators of unauthorised file creation in /tmp, /var/tmp, web root, and SD-WAN Manager application directories; review for new systemd units, init scripts, or cron jobs.

P3 — within 7 days

Configuration hardening. Enforce BOD 26-04 guidance: disable unused API endpoints, enforce strong authentication (preferably MFA), apply principle of least privilege to SD-WAN Manager user roles, and enable detailed audit logging.
Validate controls. Confirm management-plane segmentation, confirm egress filtering on the SD-WAN Manager host, and confirm backup integrity.
Third-party / managed-service coordination. Where Cisco SD-WAN is delivered by a managed service provider, confirm in writing that the provider has applied the patch and provide evidence.

5. Indicators of compromise

No indicators of compromise are available in the source material. The sources do not disclose specific IP addresses, domains, file hashes, filenames, or malware artefacts associated with exploitation of CVE-2026-20262.

6. Detection

title: Cisco SD-WAN Manager File Upload Path Traversal Attempt
id: AT-2026-06-16-112-1
status: experimental
description: |
  Detects HTTP requests to Cisco Catalyst SD-WAN Manager (vManage) web UI/API
  endpoints containing path traversal sequences in file upload parameters,
  consistent with exploitation of CVE-2026-20262.
author: Adverse Trace
date: 2026-06-16
references:

  - https://nvd.nist.gov/vuln/detail/CVE-2026-20262
logsource:
  product: webserver
  category: access
detection:
  selection_uri:
    cs-uri-path|contains:

      - "/dataservice/"
      - "/vmanage/"
      - "/sdwan/"
  selection_traversal:
    cs-uri-query|contains:

      - "../"
      - "..%2f"
      - "..%5c"
      - "%2e%2e/"
      - "%2e%2e%2f"
    request_body|contains:

      - "../"
      - "..%2f"
      - "..%5c"
      - "%2e%2e/"
      - "%2e%2e%2f"
  condition: selection_uri and selection_traversal
fields:

  - cs-uri-stem
  - cs-uri-query
  - c-ip
  - c-useragent
falsepositives:

  - Legitimate penetration tests or vulnerability scans against SD-WAN Manager
level: high

rule AT_CVE_2026_20262_SDWAN_Manager_File_Upload_Traversal
{
    meta:
        author = "Adverse Trace"
        date = "2026-06-16"
        description = "Detects HTTP requests or payloads targeting Cisco Catalyst SD-WAN Manager file upload endpoints with path traversal sequences consistent with CVE-2026-20262"
        reference = "https://nvd.nist.gov/vuln/detail/CVE-2026-20262"
        cve = "CVE-2026-20262"
    strings:
        $endpoint1 = "/dataservice/" ascii nocase
        $endpoint2 = "/vmanage/" ascii nocase
        $endpoint3 = "/sdwan/" ascii nocase
        $traverse1 = "../" ascii
        $traverse2 = "..%2f" ascii nocase
        $traverse3 = "..%5c" ascii nocase
        $traverse4 = "%2e%2e/" ascii nocase
        $traverse5 = "%2e%2e%2f" ascii nocase
        $product1 = "Cisco Catalyst SD-WAN Manager" ascii nocase
        $product2 = "SD-WAN vManage" ascii nocase
    condition:
        ($endpoint1 or $endpoint2 or $endpoint3 or $product1 or $product2) and any of ($traverse1, $traverse2, $traverse3, $traverse4, $traverse5)
}

CVE assessment

1 referenced CVE — 1 actively exploited (CISA KEV)

CVE	CVSS	Exploited	EPSS	Summary
CVE-2026-20262	6.5 Medium	⚠ KEV 2026-06-15	—	A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote a…

7. Sources

NVD — CVE-2026-20262 detail — https://nvd.nist.gov/vuln/detail/CVE-2026-20262 (published 2026-06-14)
CISA — Known Exploited Vulnerabilities Catalog entry for CVE-2026-20262 — https://nvd.nist.gov/vuln/detail/CVE-2026-20262 (added 2026-06-15)
Help Net Security — "Cisco discloses second exploited SD-WAN vulnerability in two weeks (CVE-2026-20262)" — https://www.helpnetsecurity.com/2026/06/16/cisco-sd-wan-cve-2026-20262-exploited/ (2026-06-16)
SecurityWeek — "Cisco Patches Another SD-WAN Zero-Day Exploited in Attacks" — https://www.securityweek.com/cisco-patches-another-sd-wan-zero-day-exploited-in-attacks/ (2026-06)
ANSSI France CERT — "Vulnérabilité dans Cisco Catalyst SD-WAN" — https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0699/ (2026-06-05)
The Hacker News — "Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available" — https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-manager-cve-2026.html (2026-06)

8. Adverse Trace position

Severity assessment: MEDIUM (CVSS 6.5) per authoritative scoring, but elevated operational priority due to confirmed active exploitation, CISA KEV listing, and the management-plane blast radius — a single root on SD-WAN Manager compromises the entire SD-WAN fabric. Client impact: any EMEA financial services firm running Catalyst SD-WAN Manager must treat this as a P1 patch with a hard deadline of 2026-06-29; internet-exposed or under-segmented management planes are the highest-risk subset. Next steps: Adverse Trace will (1) monitor Cisco's official advisory for fixed-software version details and update this note accordingly, (2) track threat-actor attribution as it emerges, and (3) assist clients with forensic triage, credential rotation, and patch validation on request.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.