Cisco Catalyst SD-WAN: CVE-2026-20262 and CVE-2026-20245 — CISA Warns of Escalating Attacks Against SD-WAN Infrastructure

Cisco Catalyst SD-WAN: CVE-2026-20262 and CVE-2026-20245 — CISA Warns of Escalating Attacks Against SD-WAN Infrastructure

CISA Known Exploited Vulnerability (KEV): CVE-2026-20262 added June 15 (deadline June 29 — now 7 days overdue). CVE-2026-20245 added June 9 (deadline June 23 — now 13 days overdue). BOD 26-04 applies — both deadlines have passed.

CVE: CVE-2026-20262, CVE-2026-20245 | CVSS 3.1: Various (High) | Vendor: Cisco | Product: Catalyst SD-WAN (Manager, Controller, Validator) | Affected: SD-WAN Manager (vManage), SD-WAN Controller (vSmart), SD-WAN Validator (vBond)


What Is the Vulnerability

CVE-2026-20262: A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticated, remote attacker to create a file or overwrite any file on the filesystem, potentially leading to remote code execution. CVE-2026-20245: A CLI vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart), SD-WAN Manager (formerly vManage), and SD-WAN Validator (formerly vBond) that could be exploited by an authenticated attacker to achieve privilege escalation or code execution. Both are actively exploited and listed on the CISA KEV catalog.


Versions Affected

  • Cisco Catalyst SD-WAN Manager: Versions prior to patched releases
  • Cisco Catalyst SD-WAN Controller: Versions prior to patched releases
  • Cisco Catalyst SD-WAN Validator: Versions prior to patched releases

Exploited?

Yes — actively exploited with escalating attack frequency. CISA and researchers have warned that attacks targeting these SD-WAN vulnerabilities are intensifying. Both are listed on the CISA KEV catalog. CVE-2026-20262 deadline passed June 29 (now 7 days overdue). CVE-2026-20245 deadline passed June 23 (now 13 days overdue).


Fix

Cisco has released patches for both vulnerabilities. Apply immediately.

  • Primary fix: Update Cisco Catalyst SD-WAN software to patched versions per Cisco security advisories.
  • Workaround: Restrict management access to SD-WAN controllers and managers to trusted IPs only.

Recommendations

  • Patch immediately: Both KEV deadlines have passed. Apply Cisco patches without delay.
  • Restrict management access: Ensure SD-WAN management interfaces are not exposed to untrusted networks.
  • Audit for compromise: Review SD-WAN logs for signs of unauthorised file creation or configuration changes.
  • Monitor CISA guidance: CISA has explicitly warned of escalating attacks against these vulnerabilities.

References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 6, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!