AINEWS
Cisco patches second SD-WAN Manager root-access flaw in two weeks
Cisco's SD WAN Manager is the control plane software that runs Cisco managed wide area networks.
Cisco's SD WAN Manager is the control plane software that runs Cisco managed wide area networks.
A second critical flaw in Cisco's Catalyst SD-WAN Manager went from disclosure to active exploitation this week, putting the network management plane back on the defensive list for the second time in roughly two weeks.
Cisco on Monday patched CVE-2026-20262, a vulnerability in the SD-WAN Manager web UI that lets an authenticated, low-privileged user upload a crafted file to an API endpoint and, through a missing input-validation check, write or overwrite arbitrary files on the underlying operating system. From there, the primitive chains into root. Per CISA's Known Exploited Vulnerabilities catalog, the federal government added the flaw to its shortlist of bugs with confirmed in-the-wild use on June 15, 2026, with a two-week patch deadline of June 29.
The vulnerability exists because the software does not properly validate user-supplied input during a file upload process. An attacker with valid credentials for at least a lower-privileged, single-task user account can send a crafted HTTP request to an affected API endpoint and create or overwrite any file on the underlying OS. That file can then be used to elevate to root. There are no workarounds; upgrading to a fixed software release is the only remediation path.
The CVSS score of 6.8 (Medium) reflects the authentication prerequisite. In current threat conditions, that prerequisite is not a high bar. Credential-stuffing campaigns and infostealer logs have made low-privileged credentials on management appliances cheap to acquire, and the manager sits on a network that, by design, reaches every Cisco-managed SD-WAN edge device the enterprise runs. A foothold on the manager is a foothold on the control plane, and the Medium rating is a measure of attacker prerequisites, not of impact ceiling.
This is the second Catalyst SD-WAN Manager zero-day exploited in roughly two weeks. CVE-2026-20245, an improper encoding or escaping vulnerability that could allow an authenticated local attacker to execute arbitrary commands as root by supplying a crafted file, was added to the CISA KEV catalog on June 9, 2026 with active exploitation confirmed. Cisco released patches for all affected versions of CVE-2026-20245 on June 12. Two root-on-the-manager primitives landing in a single month on the same product is no longer a coincidence. It is a pattern, and it changes what "patched" means for an SD-WAN Manager fleet.
Cisco's advisory for CVE-2026-20262 is available on the Cisco PSIRT security portal. Cisco PSIRT confirmed limited exploitation in June 2026. The flaw affects all Catalyst SD-WAN Manager deployment types regardless of device configuration. Cisco's advisory lists affected versions and fixed software releases.
For operators, the week-of work is concrete. Pull Cisco's fixed software for CVE-2026-20262 and confirm the manager build is on the patched release. Audit every account on the SD-WAN Manager, paying particular attention to low-privileged single-task users and any service or integration accounts that have not been rotated recently. Validate that the manager's management interface is not exposed to the open internet; most SD-WAN Manager deployments are reachable only from a restricted operator subnet, and that perimeter is the single most effective control against the kind of credential-based chain this bug enables. Watch Cisco's advisory channel for the next one. With the cadence the last month has shown, treating SD-WAN Manager patching as a quarterly task is the most expensive assumption a network team can make this quarter.