Cisco Patches Eighth SD-WAN Zero-Day of 2026 as CISA Adds CVE-2026-20262 to KEV
Cisco has patched CVE-2026-20262, a medium-severity arbitrary file write flaw in Catalyst SD-WAN Manager exploited in limited, targeted attacks; CISA added it to the KEV catalog.
Cisco on Monday disclosed and patched CVE-2026-20262, a zero-day vulnerability in its Catalyst SD-WAN Manager that has been exploited in active attacks. This marks the eighth such SD-WAN zero-day the networking giant has confirmed being exploited in 2026. The flaw allows an authenticated attacker with at least write access to send specially crafted HTTP requests to an affected API endpoint, creating or overwriting arbitrary files on the underlying operating system — a capability that could later be leveraged to escalate privileges to root. Cisco discovered the vulnerability internally and became aware of exploitation in June 2026.
The vulnerability is classified as medium severity, but its exploitation in the wild — even if limited — prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2026-20262 to its Known Exploited Vulnerabilities (KEV) catalog on Monday, June 16. CISA ordered federal agencies to remediate the flaw by June 29, 2026. CISA’s inclusion of the bug underscores the risk it poses to enterprise SD-WAN deployments, which are critical for connecting branch offices and remote sites.
Cisco did not provide details on whether the zero-day was chained with other vulnerabilities or if attackers relied on compromised credentials to gain the necessary write access. The company described the exploitation as “limited,” suggesting a highly targeted operation likely conducted by a sophisticated, possibly state-sponsored threat actor. No public evidence of mass exploitation has surfaced, and the attacker’s identity remains unknown.
The new vulnerability is the eighth Cisco SD-WAN zero-day detected in active attacks this year. Previous flaws include CVE-2026-20182, CVE-2026-20127, CVE-2026-20128, CVE-2026-20122, CVE-2026-20133, CVE-2022-20775, and CVE-2026-20245. The most recent prior zero-day, CVE-2026-20245, was disclosed on June 4 and patched nearly a week later. The repeated exploitation of SD-WAN products highlights attackers’ persistent interest in networking gear that serves as a gateway to enterprise networks.
Cisco urged all customers to apply the available security update immediately. No workarounds have been provided. Organizations using Catalyst SD-WAN Manager should prioritize patching, especially those in sectors like government, telecommunications, and critical infrastructure. The addition of CVE-2026-20262 to the KEV catalog also means that federal agencies are under a strict timeline to patch, while private sector entities are strongly advised to follow suit to mitigate the risk of compromise.
This incident is part of a broader trend of zero-day exploitation in network management platforms. Earlier in June, Ivanti Sentry saw a max-severity flaw exploited within 24 hours of disclosure, and Check Point VPN was targeted in Qilin ransomware attacks. The convergence of enterprise reliance on SD-WAN and sophisticated threat actor interest makes the patching of these vulnerabilities a critical priority for defenders.
Cisco has now released patch versions for all affected Catalyst SD-WAN Manager releases, including 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2. The company also shared specific indicators of compromise, such as suspicious WAR file uploads to the vManage server, and warned that follow-on activities may include deploying malicious code and interacting with it, though these may not consistently appear in logs.
The Help Net Security report adds that Cisco's Product Security Incident Response Team observed exploitation of CVE-2026-20262 before public disclosure, despite the flaw being initially found during internal security testing. The article details that attackers used the path traversal to drop a malicious .war file, which was then deployed as a Java web application via vManage's WildFly server, with subsequent command-and-control via POST requests. It also notes that the fixed software releases for CVE-2026-20262 are identical to those for CVE-2026-20245, raising questions about whether the patches were developed concurrently.