VYPR
Vypr IntelligenceAI-generatedJun 17, 2026· 6 CVEs

Cisco: Six CVEs Across Four Products, Including Actively Exploited SD-WAN Zero-Day

Cisco disclosed six vulnerabilities across four product families, including an actively exploited SD-WAN zero-day and a critical ISE RCE bug.

Key findings

  • CVE-2026-20262 in Catalyst SD-WAN Manager is actively exploited and added to CISA KEV
  • CVE-2026-20181 in Cisco ISE is a critical RCE with CVSS 9.1, requiring admin credentials
  • CVE-2026-20190 allows unauthenticated information disclosure in Cisco ISE
  • CVE-2026-20220 enables authenticated RCE in Crosswork Network Controller
  • CVE-2026-20246 allows local privilege escalation in Umbrella Virtual Appliance
  • CVE-2026-20178 is an open redirect in browser-based Cisco Webex App

On June 15–17, 2026, Cisco disclosed six vulnerabilities spanning four product families, headlined by an actively exploited zero-day in Catalyst SD-WAN Manager and a critical-severity remote code execution bug in Identity Services Engine (ISE). The batch, published across two days, includes bugs ranging from privilege escalation to information disclosure, with one flaw already added to CISA's Known Exploited Vulnerabilities (KEV) catalog.

Actively Exploited: Catalyst SD-WAN Manager File Write Flaw

The most urgent vulnerability in the batch is CVE-2026-20262 (CVSS 6.5, Medium), an arbitrary file write flaw in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). Cisco's Product Security Incident Response Team (PSIRT) confirmed active exploitation in the wild, and CISA added the bug to its KEV catalog on June 15, 2026, mandating federal remediation BleepingComputer. The vulnerability stems from improper validation of user-supplied input during file uploads. An authenticated attacker with write access can send crafted HTTP requests to an API endpoint to create or overwrite any file on the underlying operating system, which can then be used to escalate privileges to root. Cisco noted the flaw was discovered internally, raising questions about how attackers learned of it before public disclosure Help Net Security. All deployment types are affected, including on-prem, Cloud-Pro, Cloud (Cisco Managed), and FedRAMP instances. Patches are available in the latest Cisco SD-WAN Manager releases.

Critical RCE in Cisco Identity Services Engine

Two vulnerabilities were disclosed in Cisco ISE and ISE Passive Identity Connector (ISE-PIC) under advisory cisco-sa-ise-multi-G5WP8vv. CVE-2026-20181 (CVSS 9.1, Critical) is a remote code execution bug caused by improper validation of user-supplied input. An authenticated attacker with administrative credentials can send a crafted HTTP request to execute arbitrary commands on the underlying operating system and potentially escalate to root SecurityWeek. The second ISE flaw, CVE-2026-20190, is an information disclosure vulnerability that allows an unauthenticated, remote attacker to view sensitive information due to improper authorization checks when a resource is accessed. Both bugs affect all ISE and ISE-PIC deployments regardless of configuration. Cisco has released software updates to address these issues.

Crosswork Network Controller RCE and Umbrella Privilege Escalation

CVE-2026-20220 affects Cisco Crosswork Network Controller's web-based management interface. The vulnerability, due to insufficient input validation in the configuration template engine, allows an authenticated, remote attacker to execute arbitrary commands on the affected device. Meanwhile, CVE-2026-20246 in Cisco Umbrella Virtual Appliance enables an authenticated local attacker with vmadmin CLI privileges to elevate privileges because of insufficient validation of user-supplied commands. Both bugs were patched in the respective product updates released on June 17, 2026.

Webex Open Redirect

The batch also includes CVE-2026-20178, an open redirect vulnerability in the browser-based version of Cisco Webex App. An unauthenticated, remote attacker could exploit improper input validation to redirect users to a malicious webpage. Cisco stated that the issue has been addressed and no customer action is needed.

Response and Patch Status

Cisco released security advisories and software updates for all six vulnerabilities on June 15–17, 2026. For CVE-2026-20262, the company urged customers to upgrade to the latest Catalyst SD-WAN Manager release immediately, given active exploitation. The ISE flaws were fixed in the latest ISE and ISE-PIC software versions. No workarounds were provided for the Crosswork, Umbrella, or Webex bugs beyond applying the available patches.

Why This Batch Matters

This disclosure event underscores the breadth of Cisco's attack surface — from enterprise SD-WAN management planes to network controllers and collaboration tools. The active exploitation of CVE-2026-20262 and the critical severity of CVE-2026-20181 make these patches a priority for any organization running Cisco infrastructure. With CISA's KEV listing triggering binding remediation deadlines for federal agencies, and attackers already weaponizing the SD-WAN flaw, administrators should treat this batch as an urgent call to update.

AI-written article. Grounded in 6 CVE records listed below.