CISA Known Exploited Vulnerability (KEV): CVE-2026-20262 added June 15 (deadline June 29 — now 7 days overdue). CVE-2026-20245 added June 9 (deadline June 23 — now 13 days overdue). BOD 26-04 applies — both deadlines have passed.
CVE: CVE-2026-20262, CVE-2026-20245 | CVSS 3.1: Various (High) | Vendor: Cisco | Product: Catalyst SD-WAN (Manager, Controller, Validator) | Affected: SD-WAN Manager (vManage), SD-WAN Controller (vSmart), SD-WAN Validator (vBond)
What Is the Vulnerability
CVE-2026-20262: A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticated, remote attacker to create a file or overwrite any file on the filesystem, potentially leading to remote code execution. CVE-2026-20245: A CLI vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart), SD-WAN Manager (formerly vManage), and SD-WAN Validator (formerly vBond) that could be exploited by an authenticated attacker to achieve privilege escalation or code execution. Both are actively exploited and listed on the CISA KEV catalog.
Versions Affected
- Cisco Catalyst SD-WAN Manager: Versions prior to patched releases
- Cisco Catalyst SD-WAN Controller: Versions prior to patched releases
- Cisco Catalyst SD-WAN Validator: Versions prior to patched releases
Exploited?
Yes — actively exploited with escalating attack frequency. CISA and researchers have warned that attacks targeting these SD-WAN vulnerabilities are intensifying. Both are listed on the CISA KEV catalog. CVE-2026-20262 deadline passed June 29 (now 7 days overdue). CVE-2026-20245 deadline passed June 23 (now 13 days overdue).
Fix
Cisco has released patches for both vulnerabilities. Apply immediately.
- Primary fix: Update Cisco Catalyst SD-WAN software to patched versions per Cisco security advisories.
- Workaround: Restrict management access to SD-WAN controllers and managers to trusted IPs only.
Recommendations
- Patch immediately: Both KEV deadlines have passed. Apply Cisco patches without delay.
- Restrict management access: Ensure SD-WAN management interfaces are not exposed to untrusted networks.
- Audit for compromise: Review SD-WAN logs for signs of unauthorised file creation or configuration changes.
- Monitor CISA guidance: CISA has explicitly warned of escalating attacks against these vulnerabilities.
References
- NVD Entry for CVE-2026-20262
- NVD Entry for CVE-2026-20245
- CISA Known Exploited Vulnerabilities Catalog
- Cisco Security Advisory (Catalyst SD-WAN)
Part of the Vulnerability Intelligence series on threat-modeling.com. July 6, 2026 Report.
