CVE-2026-20262 is a high-severity path traversal vulnerability in Cisco Catalyst SD-WAN Manager (formerly Cisco SD-WAN vManage). Classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), this vulnerability allows an authenticated remote attacker to create or overwrite arbitrary files on the underlying operating system of affected Cisco SD-WAN Manager appliances. On June 15, 2026, CISA added CVE-2026-20262 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation in the wild. Federal agencies must remediate by June 29, 2026 under BOD 22-01.

This is the second Cisco SD-WAN vulnerability added to the CISA KEV catalog this month, underscoring a heightened threat focus on Cisco’s SD-WAN management infrastructure. The vulnerability was exploited as a zero-day before a patch was available, and active exploitation is ongoing. Organisations running Cisco Catalyst SD-WAN Manager should treat this as an emergency and apply the available patch immediately.

---

What Is the Vulnerability

CVE-2026-20262 is a path traversal vulnerability (CWE-22) in the web-based management interface of Cisco Catalyst SD-WAN Manager. The vulnerability arises from insufficient validation of user-supplied file paths in certain API endpoints or file operations within the management console. An attacker with valid credentials to the SD-WAN Manager can manipulate file path parameters to escape the intended directory scope and write files to arbitrary locations on the underlying filesystem.

Path traversal attacks exploit the application’s failure to properly sanitise sequences such as ../ (parent directory references) in file path inputs. In the case of CVE-2026-20262, because the vulnerable component handles file creation and overwrite operations, the attacker is not merely reading files they should not have access to — they are creating new files or overwriting existing ones anywhere on the filesystem that the SD-WAN Manager process has write permissions to.

The implications of arbitrary file write on a Cisco SD-WAN Manager appliance are severe:

• Configuration tampering. The attacker can overwrite SD-WAN configuration files, altering routing policies, VPN topologies, firewall rules, and traffic engineering parameters across the entire SD-WAN fabric managed by the compromised appliance.
• Credential harvesting. By overwriting authentication-related files or injecting backdoor configuration, the attacker can establish persistent privileged access, capture credentials from other administrators, or disable authentication requirements entirely.
• Remote code execution escalation. Arbitrary file write primitives on Linux-based appliances frequently escalate to full remote code execution. The attacker can overwrite system binaries, cron jobs, systemd service files, SSH authorised_keys, or web application code to execute arbitrary commands with the privileges of the SD-WAN Manager process or higher.
• Persistence. Files written outside the application’s managed directories survive upgrades and reboots, providing the attacker with a long-term foothold on the management appliance.
• Lateral movement. Cisco SD-WAN Manager sits at the centre of the SD-WAN fabric, with authenticated connections to every edge router (cEdge/vEdge) under its management. A compromised Manager can be used to push malicious configurations or firmware to connected edge devices, extending the compromise across the entire WAN infrastructure.

The attack requires authentication to the SD-WAN Manager web interface or API. However, the authentication requirement should not be treated as a meaningful barrier: credentials for SD-WAN Manager may be obtained through phishing, credential reuse, brute-force attacks against exposed management interfaces, or compromise of adjacent systems with access to the management network. Once any level of authenticated access is obtained, the path traversal provides a straightforward path to full appliance compromise.

---

CISA KEV Designation

On June 15, 2026, CISA added CVE-2026-20262 to the Known Exploited Vulnerabilities (KEV) Catalog. The KEV catalog is maintained under Binding Operational Directive (BOD) 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities,” which requires all U.S. federal civilian executive branch (FCEB) agencies to remediate catalogued vulnerabilities by a specified due date.

Key KEV details:

• Date Added to KEV: June 15, 2026
• Required Remediation Date: June 29, 2026
• Vulnerability Type: Path Traversal (CWE-22)
• Exploitation Status: Actively exploited in the wild
• Known Ransomware Use: Not confirmed at time of publication

While BOD 22-01 is legally binding only for U.S. federal agencies, CISA strongly recommends that all organisations — public and private sector alike — prioritise the remediation of KEV-listed vulnerabilities. The KEV designation means CISA has confirmed real-world exploitation, making this a patch-or-isolate situation for any organisation running affected Cisco SD-WAN Manager instances.

This is the second Cisco SD-WAN vulnerability added to the KEV catalog in June 2026, following a separate Cisco SD-WAN vulnerability added earlier in the month. The clustering of Cisco SD-WAN KEV entries suggests threat actors are actively targeting Cisco’s SD-WAN management plane, likely seeking to compromise the central orchestration layer that controls distributed edge networking infrastructure.

---

Versions Affected

Cisco has confirmed that the following versions of Cisco Catalyst SD-WAN Manager are affected by CVE-2026-20262:

• Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) — affected versions as detailed in Cisco’s security advisory
• Both on-premises (ESXi, KVM, Hyper-V, bare metal) and cloud-hosted deployments running affected software versions are vulnerable

Administrators should consult the official Cisco Security Advisory for CVE-2026-20262 for the precise version matrix, as Cisco typically publishes affected and fixed versions across multiple release trains (e.g., 20.6.x, 20.9.x, 20.12.x). The SD-WAN Manager is the centralised network management, monitoring, and orchestration component of the Cisco SD-WAN solution, and it manages the configuration and software images for all edge devices (cEdge/vEdge routers) in the SD-WAN overlay.

Importantly, Cisco SD-WAN edge devices (cEdge/vEdge routers) are not directly affected by this vulnerability. The vulnerability resides in the SD-WAN Manager management plane. However, because a compromised Manager can be used to push malicious configurations to managed edge devices, the indirect risk to the entire SD-WAN fabric is significant.

---

Exploitation Status: Active Zero-Day Exploitation

CVE-2026-20262 is actively being exploited in the wild. CISA’s addition of this vulnerability to the KEV catalog confirms that threat actors are exploiting this path traversal vulnerability against real-world targets. The vulnerability was exploited as a zero-day — meaning attacks were observed in the wild before Cisco released a patch.

The active exploitation context elevates this from a theoretical risk to an operational emergency. Organisations running affected versions of Cisco SD-WAN Manager should assume compromise is possible if the appliance has been reachable from untrusted networks during the exposure window prior to patching.

Indicators of potential exploitation include:

• Unexpected files appearing in system directories on the SD-WAN Manager filesystem
• Modified configuration files with unexpected or unauthorised changes
• New or modified SSH keys in the authorised_keys files of system accounts
• Unexpected cron jobs, systemd timers, or startup scripts
• Anomalous outbound network connections from the SD-WAN Manager to unknown external hosts
• Unauthorised configuration changes pushed to managed edge devices
• New administrative user accounts or modified privilege levels in the SD-WAN Manager local user database

The fact that this is the second Cisco SD-WAN KEV entry this month strongly suggests a coordinated or sustained campaign targeting Cisco SD-WAN management infrastructure. Organisations should investigate across their entire SD-WAN estate, not just in response to this single CVE.

---

Fix

Cisco has released a software update that addresses CVE-2026-20262 by implementing proper input validation and path sanitisation in the affected file operation components of SD-WAN Manager. The fix restricts file operations to authorised directories and rejects path traversal sequences in user-supplied input.

Immediate remediation steps:

1. Consult the Cisco Security Advisory. Check the official Cisco advisory for CVE-2026-20262 at Cisco Security Advisories for the complete fixed-version matrix across all supported release trains.
2. Upgrade SD-WAN Manager. Apply the fixed software release to all affected SD-WAN Manager instances. This is the primary remediation and the only way to eliminate the vulnerability.
3. Follow Cisco’s upgrade procedure. SD-WAN Manager upgrades must be performed following Cisco’s documented process to avoid disruption to the SD-WAN fabric, including backup of the database, snapshot of the VM or appliance, and validation of the upgrade in a lab or staging environment before production deployment.
4. Verify the fix. After upgrading, confirm the new software version is running and test that path traversal attempts against the vulnerable API endpoints are correctly rejected.

There are no workarounds that fully mitigate this vulnerability. Cisco’s security advisory should be consulted for any interim mitigation guidance, but applying the software fix is the only definitive resolution. Reducing exposure by restricting network access to the SD-WAN Manager web interface is a compensating control, not a substitute for patching.

---

Recommendations

1. Patch immediately — this is an emergency. CISA KEV designation plus active zero-day exploitation means every hour of delay increases your exposure. Federal agencies have until June 29, 2026; all other organisations should treat this deadline as equally urgent. Apply the Cisco patch now.
2. Conduct a compromise assessment. Do not assume your SD-WAN Manager was not targeted simply because you are unaware of an incident. Conduct an immediate compromise assessment on all SD-WAN Manager appliances, focusing on: filesystem integrity (unexpected files in system directories), configuration drift (changes not attributable to authorised change windows), user account review (new or modified accounts), SSH key inventory, and scheduled tasks (cron, systemd timers).
3. Review SD-WAN Manager access controls. This vulnerability requires authentication. Reduce the attack surface by: enforcing multi-factor authentication (MFA) for all SD-WAN Manager access, restricting management access to a dedicated out-of-band management network with jump hosts, disabling default or shared accounts, implementing strict role-based access control with least privilege, and auditing all active user accounts and API tokens.
4. Audit managed edge device configurations. If your SD-WAN Manager may have been compromised, review the running configuration of all managed cEdge/vEdge routers for unauthorised changes. A compromised Manager can push malicious configurations, including backdoor VPN tunnels, modified firewall rules, or altered routing policies to any edge device under management.
5. Harden the SD-WAN management plane. Beyond patching, implement defence-in-depth for the SD-WAN Manager: deploy it behind a firewall with strict inbound rules, use a dedicated management VRF or management interface, implement network-level monitoring for unusual connections to and from the Manager, and ensure logging is enabled and forwarded to a central SIEM.
6. Rotate credentials. If compromise cannot be ruled out, rotate all credentials accessible from or stored on the SD-WAN Manager: administrator passwords, API tokens, SSH keys, SNMP community strings, and any secrets used for overlay network authentication (IPsec pre-shared keys, TLS certificates).
7. Investigate across the Cisco SD-WAN estate. Given this is the second Cisco SD-WAN KEV this month, threat actors are clearly focused on this product. Review all Cisco SD-WAN components (Manager, Controller, Validator, and edge devices) for indicators of compromise and ensure all are running current, patched software.
8. Monitor Cisco’s security advisory page. The clustering of KEV entries for Cisco SD-WAN suggests further advisories may follow. Subscribe to Cisco’s security notification service and monitor for additional CVEs affecting the SD-WAN product line.

---

References

• CISA Known Exploited Vulnerabilities (KEV) Catalog
• CISA Binding Operational Directive (BOD) 22-01
• Cisco Security Advisories
• NVD: CVE-2026-20262
• CWE-22: Path Traversal

---

Disclaimer: This information is provided for educational and defensive purposes only. CVE details, KEV status, and exploitation assessments are based on publicly available information at the time of writing. Always verify details against official CISA KEV listings, Cisco Security Advisories, and NVD entries before taking action in production environments. SD-WAN infrastructure requires careful change management — coordinate patching with your network operations and security teams.