2026-06-16 · view entry permalink →
Cisco Catalyst SD-WAN Manager CVE-2026-20262: authenticated arbitrary file write to root RCE
Vulnerable component. The flaw lives in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage), the centralised controller/management plane that pushes policy and configuration to every WAN-edge router in an SD-WAN fabric. The file-upload path in the management UI does not validate the user-supplied filename, so an authenticated request can traverse out of the intended directory and create or overwrite an arbitrary file on the appliance OS (NVD, CVSS 6.5; Cisco PSIRT, 2026-06-15). The vulnerability affects on-premises, Cloud-hosted and FedRAMP deployment models. The 6.5 base score reflects the authentication requirement (a low-privilege/single-task account), but the consequence — arbitrary write into a path the application server reads — is what makes it a root-RCE primitive rather than a simple integrity bug.
Exploitation chain. Reporting describes the practical path as: (1) Initial access with valid low-privilege SD-WAN Manager credentials — obtained through prior phishing, credential reuse, or chaining an earlier auth-affecting SD-WAN bug (T1078.004 Valid Accounts: Cloud Accounts); (2) Execution by abusing the upload endpoint to write a .jsp/.war artefact into the Tomcat deployment directory, turning the file-write into a web shell (T1190 Exploit Public-Facing Application for the upload primitive, T1505.003 Server Software Component: Web Shell for the planted shell); (3) Privilege escalation / impact because the SD-WAN Manager application services run with high privilege, the web shell yields root-equivalent control of the management plane (T1059 Command and Scripting Interpreter). Control of SD-WAN Manager is control of every managed edge device's configuration — a single-pivot path to the entire WAN. Cisco Talos tracks a highly capable cluster it designates UAT-8616 behind a 2026 wave of Cisco Catalyst SD-WAN exploitation (notably CVE-2026-20127, with software-downgrade post-compromise tradecraft) (Cisco Talos, 2026); whether or not that cluster is behind CVE-2026-20262 specifically, the pattern means defenders should treat any SD-WAN Manager as a high-value target even where they believe an earlier intrusion was contained.
Affected and patched versions. Cisco has released fixed trains 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1 and 26.1.1.2; consult the PSIRT advisory for the exact mapping of your running train to its fixed build (Cisco PSIRT, 2026-06-15). CISA added CVE-2026-20262 to the Known Exploited Vulnerabilities catalog on 2026-06-15, confirming exploitation in the wild (BleepingComputer, 2026-06-15).
Hunt and detection concepts. Because exploitation is authenticated and post-foothold, the highest-value telemetry is on the appliance itself, not the perimeter. Review the SD-WAN Manager appserver and service-proxy logs for HTTP uploads referencing index.jsp, *.jsp or *.war filenames or path-traversal sequences, and for newly written files in the Tomcat webapps/deploy directories that do not correspond to a vendor update. Correlate file-write events with the authenticating account — single-task/low-privilege accounts performing uploads are anomalous. Watch for unexpected outbound connections from the SD-WAN Manager host (a web shell beaconing) and for new processes spawned by the application-server user. Because the attacker needs valid credentials first, surface authentication anomalies for management-plane accounts: logins from new source ranges, off-hours admin activity, and use of service/automation accounts interactively. No IOCs are reproduced here — hunt on the behaviour.
Hardening / mitigation. Patch to the fixed train as the only durable fix. Until patched: restrict management-plane reachability so SD-WAN Manager's web UI is never internet-exposed and is reachable only from a hardened management network or jump host; enforce MFA on all SD-WAN Manager accounts and prune low-privilege/single-task accounts that retain upload capability; rotate credentials for any account that could authenticate during the exposure window; and validate the integrity of the Tomcat deploy directory against a known-good baseline before returning a controller to service. Given the management plane's blast radius across the WAN fabric, treat a suspected compromise of SD-WAN Manager as a fabric-wide event and review pushed configurations for tampering.
“Vulnerable component.” — ctipilot v2 brief (migrated)