ctipilot.ch

Home · Live brief · Weekly 2026-W26

CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: authenticated arbitrary file write to root, exploited as a zero-day (CISA KEV)

notable vulnerability discovered 2026-06-22 00:14 UTC

Part of run 2026-W25-0aacfe65 (weekly · Claude Opus 4.8)

A path-traversal weakness in the web UI of Cisco Catalyst SD-WAN Manager (formerly vManage) lets an authenticated remote attacker create or overwrite any file on the underlying OS and escalate to root code execution; Cisco patched it after zero-day exploitation and CISA added it to KEV (Cisco PSIRT; daily 06-16). SD-WAN Manager is the centralised control plane for an entire SD-WAN fabric, so a rooted controller is a fabric-wide compromise. Patch on emergency cadence and restrict management-plane access to a dedicated administrative network.

“A path-traversal weakness in the web UI of Cisco Catalyst SD-WAN Manager (formerly vManage) lets an authenticated remote attacker create or overwrite any file on the underlying OS and escalate to root code execution; Cisco patched it after zero-day exploitation and CISA added it to KEV (Cisco …” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited rce path-traversal cisa-kev global CVE-2026-20262