Cisco SD-WAN Vulnerability Exploited in the Wild: Patch CVE-2026-20262 Now

A Cisco SD-WAN vulnerability is now under active attack, and Cisco is urging customers to patch fast. Tracked as CVE-2026-20262, the flaw affects Cisco Catalyst SD-WAN Manager, the platform formerly known as vManage. Because attackers are already abusing it, exposed systems face real risk. Worse still, SD-WAN Manager orchestrates an entire SD-WAN fabric, so one compromise can ripple across the network.

What the flaw allows

The bug lives in the web UI of Cisco Catalyst SD-WAN Manager. According to Cisco, the issue “could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.”

At its root, the software fails to validate user-supplied input during a file upload. As a result, an attacker can send a crafted HTTP request to a vulnerable API endpoint. From there, they can plant or replace files on the underlying operating system.

Crucially, that foothold can escalate. Cisco notes that the planted file can later be leveraged to climb to root. Still, the attacker needs valid credentials first, even if only a low-privileged, single-task account.

Who is affected

This Cisco SD-WAN vulnerability reaches every deployment type. Specifically, it affects On-Prem, Cloud-Pro, Cisco-managed cloud, and FedRAMP government installations alike. Moreover, the flaw applies regardless of device configuration.

The CVSS score sits at a moderate 6.5. However, the real-world picture looks more serious, because the bug is being exploited right now.

Attacks are already happening

Cisco confirmed the threat in its advisory. The company states that “in June 2026, the Cisco PSIRT became aware of limited exploitation of this vulnerability.”

Defenders should hunt for signs of abuse. Notably, Cisco’s indicators point to a rogue “suspicious.war” file uploaded and deployed into the vManage environment, followed by requests to a planted web page. Therefore, teams should review the vManage server, appserver, and service-proxy logs for matching entries.

How to respond

Update now. Cisco has released fixed builds across every affected train, including 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2.

For full version details and the complete list of indicators, read the official Cisco security advisory.

In addition, limit internet exposure of your SD-WAN Manager systems. Then audit accounts and logs for anything unusual. Finally, if you suspect a compromise, Cisco recommends collecting an admin-tech file and contacting its Technical Assistance Center.