CISA Adds Cisco SD-WAN and LiteSpeed cPanel Flaws to KEV Catalog
CISA has added CVE-2026-20262 (Cisco Catalyst SD-WAN Manager path traversal) and CVE-2026-54420 (LiteSpeed cPanel symlink following) to its Known Exploited Vulnerabilities catalog, citing active exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog with two new entries: CVE-2026-20262 affecting Cisco Catalyst SD-WAN Manager and CVE-2026-54420 impacting the LiteSpeed cPanel plugin. Both vulnerabilities carry evidence of active exploitation, prompting CISA to mandate remediation for federal agencies under Binding Operational Directive (BOD) 26-04.
CVE-2026-20262 is a directory or path traversal vulnerability in Cisco Catalyst SD-WAN Manager, a component widely deployed for managing software-defined wide area networks. Successful exploitation could allow an unauthenticated attacker to read arbitrary files or execute commands on the underlying system. Cisco has released security updates to address the flaw, and organizations are urged to apply patches immediately.
CVE-2026-54420 is a UNIX symbolic link (symlink) following vulnerability in the LiteSpeed cPanel plugin, a popular tool for web hosting environments. The flaw enables an attacker with limited access to create a symlink that points to sensitive files, potentially leading to privilege escalation or unauthorized data access. LiteSpeed has provided a patched version of the plugin, and hosting providers are advised to update their installations without delay.
CISA's addition of these vulnerabilities to the KEV catalog aligns with BOD 26-04, which replaced the earlier BOD 22-01. The updated directive requires Federal Civilian Executive Branch (FCEB) agencies to prioritize remediation of KEV-listed CVEs on publicly exposed assets that grant total control post-exploitation. Agencies must also check for signs of compromise before applying patches, ensuring that any prior intrusion is detected and addressed.
While BOD 26-04 applies only to FCEB agencies, CISA strongly encourages all organizations—including private sector entities—to adopt risk-based vulnerability management practices. The agency continues to accept nominations for new KEV entries via its online form, provided the submission includes a valid CVE ID, evidence of exploitation, and clear mitigation guidance.
The inclusion of these two flaws underscores the persistent threat posed by known vulnerabilities that remain unpatched. Attackers frequently target such weaknesses to gain initial access or escalate privileges, often within hours of public disclosure. Organizations that fail to prioritize remediation of KEV-listed CVEs risk falling victim to ransomware, data theft, or network compromise.
CISA's KEV catalog now contains hundreds of entries, serving as a critical resource for defenders seeking to focus their patching efforts on the most dangerous vulnerabilities. The addition of CVE-2026-20262 and CVE-2026-54420 reinforces the importance of timely updates and proactive monitoring in an increasingly hostile threat landscape.
The Register reports that Cisco shipped patches for CVE-2026-20262 on the same day CISA added it to the KEV catalog, with the vendor confirming limited exploitation was already underway in June 2026. The medium-severity file-upload flaw (CVSS 6.8) requires only lower-privileged credentials, enabling attackers to overwrite arbitrary files and escalate to root privileges across all SD-WAN Manager deployment types. This is the eighth Cisco SD-WAN bug added to CISA's KEV catalog this year, arriving less than two weeks after a separate SD-WAN zero-day (CVE-2026-20245) was also exploited in the wild.