CVE-2026-20262: Cisco Catalyst SD-WAN Manager Path Traversal Flaw Added to CISA KEV

"Cisco's Catalyst SD-WAN Manager contains a path traversal vulnerability that lets an authenticated, low-privileged attacker write or overwrite arbitrary files on the system; a foothold that can be escalated to root."

Cisco's Catalyst SD-WAN Manager contains a path traversal vulnerability that lets an authenticated, low-privileged attacker write or overwrite arbitrary files on the system; a foothold that can be escalated to root.

What Is It

CVE-2026-20262 is a directory/path traversal vulnerability (CWE-22) in the web UI of Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vManage. The flaw exists because the software does not properly validate user-supplied input during a file upload process. An attacker can exploit it by sending a crafted HTTP request to an affected API endpoint, allowing them to create or overwrite any file on the underlying operating system. Cisco notes that such a file could later be used to elevate privileges to root.

Why It Matters

Although the CVSS 3.1 base score is 6.5 (MEDIUM), the practical impact is significant: arbitrary file write on the underlying OS that Cisco itself flags as a path to root. CISA added the CVE to its Known Exploited Vulnerabilities catalog on 2026-06-15, the same day it was published. The KEV listing signals it warrants prioritized remediation, though known ransomware campaign use is currently listed as "Unknown."

What's Vulnerable

The affected product is Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage), specifically its web UI and an affected API endpoint. Exploitation requires valid credentials with at least a lower-privileged, single-task user account. The vector is network-based with low attack complexity and no user interaction (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N), yielding HIGH integrity impact with no confidentiality or availability impact.

Patch Status

CISA's required action is to apply mitigations per Cisco's instructions in compliance with BOD 26-04 ("Prioritizing Security Updates Based on Risk") and CISA's Forensics Triage Requirements. For cloud services, follow applicable BOD 26-04 guidance, or discontinue use of the product if mitigations are unavailable. Stakeholders must evaluate each asset's internet exposure. The remediation due date is 2026-06-29. Refer to the Cisco security advisory for fixed releases and detailed mitigation steps.

Sources

Cisco Security Advisory (cisco-sa-sdwan-arbfw-c2rZvQ), https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ
NVD, CVE-2026-20262, https://nvd.nist.gov/vuln/detail/CVE-2026-20262
CISA Known Exploited Vulnerabilities Catalog; https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20262
CISA BOD 26-04; https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk