Bottom line: The zero-day CVE-2026-20262 in Cisco’s SD-WAN Manager is being exploited by sophisticated actors and must be patched by June 29.
Cisco warns of CVE-2026-20262 in Catalyst SD-WAN Manager, which is already being actively exploited. Attackers with valid credentials can create or overwrite files and potentially gain root access.
Cisco reports active exploitation of a vulnerability (CVE-2026-20262) in Catalyst SD-WAN Manager. The flaw is rated as medium severity and allows attackers to send specially crafted HTTP requests to an affected API endpoint. This enables the creation of arbitrary files on the operating system or overwriting of existing data.
Exploitation requires valid credentials with at least write permissions. Cisco explains that such a file could later be used to gain root access. It remains unclear whether attackers in previous attacks have abused compromised credentials or combined the flaw with other vulnerabilities.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20262 to its catalog of known exploited vulnerabilities and instructed federal agencies to close the gap by June 29. Security experts interpret the targeted, limited attacks as evidence of a sophisticated, possibly state-sponsored actor. The identity of the attackers remains unknown to the public.
For Cisco environments, the threat landscape in the SD-WAN segment has deteriorated significantly: CVE-2026-20262 is already the eighth vulnerability in Cisco’s SD-WAN products for which active exploitation has been documented this year. On June 4, the zero-day CVE-2026-20245 had already been reported, for which Cisco provided a patch after about a week.
Source: www.it-daily.net · Published June 17, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.