CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: authenticated arbitrary file write to root, exploited as a zero-day (CISA KEV)

A path-traversal weakness in the web UI of Cisco Catalyst SD-WAN Manager (formerly vManage) lets an authenticated remote attacker create or overwrite any file on the underlying OS and escalate to root code execution; Cisco patched it after zero-day exploitation and CISA added it to KEV (Cisco PSIRT; daily 06-16). SD-WAN Manager is the centralised control plane for an entire SD-WAN fabric, so a rooted controller is a fabric-wide compromise. Patch on emergency cadence and restrict management-plane access to a dedicated administrative network.