Overview
- Cisco released security updates on Monday to fix CVE-2026-20262 in Catalyst SD‑WAN Manager after detecting limited exploitation of the flaw.
- The bug is an input‑validation error in the web UI that lets an authenticated user with write access upload or overwrite files on the device, which attackers can later use to escalate to root.
- Cisco published indicators of compromise and told admins to audit vmanage-server, vmanage-appserver and serviceproxy-access logs for attempted index.jsp and .war uploads.
- CISA added CVE-2026-20262 to its Known Exploited Vulnerabilities catalog and directed federal agencies to fix or mitigate the flaw by June 29.
- This is the eighth Cisco SD‑WAN vulnerability seen exploited in 2026 and operators are warned that patching alone may not remove active intruders, so forensic cleanup and TAC‑guided remediation are recommended.