CVE-2026-20262

Vulnerability

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticated, remote attacker to create or overwrite any file on the underlying operating system. The bug exists because the affected software does not properly validate user-supplied input during a file upload process [1]. This vulnerability affects all deployment types, including On-Prem, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP), regardless of device configuration [1].

Exploitation

An attacker must have valid credentials with at least a lower-privileged, single-task user account. The exploit involves sending a crafted HTTP request to an affected API endpoint of the system [1]. No additional user interaction or network access beyond remote connectivity is required.

Impact

A successful exploit enables the attacker to create or overwrite any file on the underlying operating system. This file can later be used to elevate privileges to root, resulting in full system compromise [1]. The CVSS v3 base score is 6.5 (Medium), reflecting the requirement for authentication.

Mitigation

Cisco has released software updates that address this vulnerability. There are no workarounds. Customers are advised to upgrade to the fixed software indicated in the Cisco Security Advisory [1]. The vulnerability is not listed on the Known Exploited Vulnerabilities (KEV) catalog at the time of publication.