Cisco Catalyst SD-WAN Manager authenticated arbitrary file write to root RCE (CVE-2026-20262); CISA KEV; deep dive

cve · CVE-2026-20262

Coverage timeline

first 2026-06-16 → last 2026-06-16

Briefs

1 distinct

Sources cited

34 hosts

Sections touched

deep_dive, trending_vulns

Co-occurring entities

see Related entities below

Story timeline

2026-06-16CTI Daily Brief — 2026-06-16
deep_diveDeep dive. Authenticated path traversal -> JSP/WAR webshell -> root; KEV 2026-06-15; UAT-8616.
2026-06-16CTI Daily Brief — 2026-06-16
trending_vulnsLead trending vuln; KEV ITW.

Where this entity is cited

deep_dive1
trending_vulns1

Source distribution

attack.mitre.org9 (15%)
sec.cloudapps.cisco.com6 (10%)
blog.talosintelligence.com6 (10%)
bleepingcomputer.com3 (5%)
theregister.com3 (5%)
thehackernews.com3 (5%)
security-hub.ncsc.admin.ch2 (3%)
bankinfosecurity.com1 (2%)
other26 (44%)

Related entities

Cisco Talos — demo.pdb BadIIS commodity MaaS ISAPI backdoor; lwxat developer alias; builder tool recovered; UAT-8099 / DragonRank link; 1,800+ IIS servers compromised globally
campaignitem:cisco-talos-badiis-demo-pdb-maas-isapi-backdoor-lwxat-dragon×1
Cisco Talos — DICOM-format heap OOB-write attack surface against Orthanc PACS (pydicom/GDCM)
vulnerability-trenditem:talos-dicom-pacs-orthanc-heap-attack-surface×1

External references

NVD · cve.org · CISA KEV

All cited sources (59)

Items in briefs about Cisco Catalyst SD-WAN Manager authenticated arbitrary file write to root RCE (CVE-2026-20262); CISA KEV; deep dive (1)

CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: authenticated arbitrary file write to root RCE (CISA KEV)

From CTI Daily Brief — 2026-06-16 · published 2026-06-16 · view item permalink →

A path-traversal weakness in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) lets an authenticated, remote attacker create or overwrite any file on the underlying OS because the file-upload handler fails to validate the supplied filename (NVD CVSS 6.5; Cisco PSIRT, 2026-06-15). Writing a JSP/WAR into the Tomcat deploy path yields a web shell and root-level execution, so the modest 6.5 base score understates impact on an exposed network-management plane. Cisco confirms active exploitation and CISA added it to the KEV catalog on 2026-06-15 (BleepingComputer, 2026-06-15). Patch to 20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2. Full kill-chain, hunt and hardening detail in § 5.