Cisco: Cisco SD-WAN vManage Vulnerability Exploited in Zero-Day Attacks

Critical Cisco SD-WAN Manager Zero-Day Exploited in the Wild

Cisco has disclosed an actively exploited zero-day vulnerability in its Catalyst SD-WAN Manager (formerly vManage), tracked as CVE-2026-20262, posing significant risks to enterprise networks. The flaw, rated 6.5 (Medium) on the CVSS scale, stems from improper input validation during file uploads, allowing authenticated attackers with write-level access to upload or overwrite arbitrary files on the underlying operating system.

Exploitation enables threat actors to deploy malicious payloads, such as web shells, and potentially escalate privileges to root level, amplifying the attack’s severity. Cisco’s Product Security Incident Response Team (PSIRT) confirmed limited real-world exploitation as of June 2026, classifying it as a zero-day due to its active abuse before widespread patching.

The vulnerability affects all deployment models of Cisco Catalyst SD-WAN Manager, including on-premises, Cloud, Cloud-Pro, and FedRAMP environments. With no workarounds available, immediate patching is the only mitigation. Internet-exposed management interfaces and API endpoints are primary attack vectors, with threat actors leveraging directory traversal techniques to upload malicious files (e.g., WAR files) to sensitive directories.

Indicators of Compromise (IOCs) include:

• vmanage-server.log: Unauthorized file uploads (e.g., ../../../../var/lib/wildfly/standalone/deployments/suspicious.war).
• vmanage-appserver.log: Unexpected WAR file deployments.
• serviceproxy-access.log: Malicious HTTP POST requests (e.g., /suspicious/index.jsp).

While the flaw does not directly impact SD-WAN traffic or connectivity, compromise of the management plane could allow attackers to alter configurations or maintain persistent access. Cisco has released patched versions (20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2) to address the issue. Organizations are advised to audit logs, restrict external access, and use the request admin-tech command for diagnostics before engaging Cisco’s Technical Assistance Center (TAC).

The vulnerability was discovered during internal security testing, underscoring risks posed by exposed management interfaces and inadequate input validation. With active exploitation underway, timely patching and monitoring are critical to mitigating exposure.

Source: https://cybersecuritynews.com/cisco-sd-wan-vmanage-vulnerability-exploit/

Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco

"id": "CIS1781591050",
"linkid": "cisco",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Technology/Networking',
                        'name': 'Cisco Catalyst SD-WAN Manager',
                        'type': 'Network Management Software'}],
 'attack_vector': 'Exposed management interfaces and API endpoints, directory '
                  'traversal techniques',
 'data_breach': {'file_types_exposed': ['WAR files']},
 'date_detected': '2026-06',
 'date_publicly_disclosed': '2026-06',
 'description': 'Cisco has disclosed an actively exploited zero-day '
                'vulnerability in its Catalyst SD-WAN Manager (formerly '
                'vManage), tracked as CVE-2026-20262, posing significant risks '
                'to enterprise networks. The flaw stems from improper input '
                'validation during file uploads, allowing authenticated '
                'attackers with write-level access to upload or overwrite '
                'arbitrary files on the underlying operating system. '
                'Exploitation enables threat actors to deploy malicious '
                'payloads, such as web shells, and potentially escalate '
                'privileges to root level.',
 'impact': {'operational_impact': 'Compromise of the management plane could '
                                  'allow attackers to alter configurations or '
                                  'maintain persistent access',
            'systems_affected': 'Cisco Catalyst SD-WAN Manager (all deployment '
                                'models: on-premises, Cloud, Cloud-Pro, '
                                'FedRAMP)'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Risks posed by exposed management interfaces and '
                    'inadequate input validation',
 'post_incident_analysis': {'corrective_actions': 'Patching, enhanced '
                                                  'monitoring, log audits, '
                                                  'access restrictions',
                            'root_causes': 'Improper input validation during '
                                           'file uploads, exposed management '
                                           'interfaces'},
 'recommendations': 'Timely patching, monitoring, auditing logs, restricting '
                    "external access, and engaging Cisco's Technical "
                    'Assistance Center (TAC) if needed',
 'references': [{'source': 'Cisco PSIRT'}],
 'response': {'containment_measures': 'Immediate patching, audit logs, '
                                      'restrict external access, use `request '
                                      'admin-tech` command for diagnostics',
              'enhanced_monitoring': 'Monitoring for unauthorized file uploads '
                                     'and malicious HTTP POST requests',
              'remediation_measures': 'Patching to versions 20.9.9.2, '
                                      '20.12.7.2, 20.15.4.5, 20.15.5.3, '
                                      '20.18.3.1, 26.1.1.2'},
 'title': 'Critical Cisco SD-WAN Manager Zero-Day Exploited in the Wild',
 'type': 'Zero-Day Exploitation',
 'vulnerability_exploited': 'CVE-2026-20262'}