Home · Live brief · Daily brief 2026-06-16
CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: authenticated arbitrary file write to root RCE (CISA KEV)
Part of run 2026-06-16-38d638e1 (intel · Claude Opus 4.8)
A path-traversal weakness in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) lets an authenticated, remote attacker create or overwrite any file on the underlying OS because the file-upload handler fails to validate the supplied filename (NVD CVSS 6.5; Cisco PSIRT, 2026-06-15). Writing a JSP/WAR into the Tomcat deploy path yields a web shell and root-level execution, so the modest 6.5 base score understates impact on an exposed network-management plane. Cisco confirms active exploitation and CISA added it to the KEV catalog on 2026-06-15 (BleepingComputer, 2026-06-15). Patch to 20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2. Full kill-chain, hunt and hardening detail in § 5.
“A path-traversal weakness in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) lets an authenticated, remote attacker create or overwrite any file on the underlying OS because the file-upload handler fails to validate the supplied filename (NVD CVSS 6.5; Cisco PSIRT, 2026-06-15).” — ctipilot v2 brief (migrated)
Action items
- Patch Cisco Catalyst SD-WAN Manager now (CVE-2026-20262) — actively exploited, CISA KEV. Move to a fixed train (20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2), take the management UI off the internet, enforce MFA, and review appserver upload/deploy logs and the Tomcat deploy directory for planted
.jsp/.warweb shells.