🔴 Cisco SD-WAN Manager Flaw Being Actively Exploited — Patch Now

16 June 2026 — Cisco has released emergency security updates for a vulnerability in Catalyst SD-WAN Manager (formerly SD-WAN vManage) that is being actively exploited in the wild.

The Vulnerability

CVE-2026-20262 (CVSS 6.5) allows an authenticated attacker to create or overwrite any file on the affected system. The flaw is in the web UI's file upload functionality — it doesn't properly validate user input, allowing an attacker to send crafted HTTP requests to API endpoints and gain root-level access.

While the attacker needs valid credentials to exploit this, the consequences are severe: full system compromise.

Who Is Affected

All versions of:

  • Cisco Catalyst SD-WAN Manager On-Prem
  • Cisco SD-WAN Cloud-Pro
  • Cisco SD-WAN Cloud (Cisco Managed)
  • Cisco SD-WAN for Government (FedRAMP)

Fixed Versions

Affected Version Fixed In
20.9.9.1 and earlier 20.9.9.2
20.12.7.1 and earlier 20.12.7.2
20.15.4.4 and earlier 20.15.4.5
20.15.5.2 and earlier 20.15.5.3
20.18.3 20.18.3.1
26.1.1.1 and earlier 26.1.1.2

CISA Adds to KEV Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities catalog. Federal agencies must patch by June 29, 2026.

What to Check

If you use Cisco SD-WAN Manager, check your logs for suspicious activity:

/var/log/nms/vmanage-server.log
/var/log/nms/vmanage-appserver.log
/var/log/nms/containers/service-proxy/serviceproxy-access.log

Look for unexpected WAR file uploads or deployment events. This is the eighth actively exploited Cisco SD-WAN flaw this year.

What UK Businesses Should Do

  1. Patch immediately — update to the fixed version listed above
  2. Audit logs — check for unusual file uploads or deployments
  3. Review credentials — ensure only authorised users have write access
  4. Monitor CISA KEV — this list tells you what's being actively exploited right now
  5. Report incidents — if you find evidence of compromise, report to the NCSC

Source: The Hacker News / Cisco Security Advisory