[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8S7VkeqMaoHrEpU4G087Iv1Goex1E7Sp8gXzClFs18I":3},{"article":4,"iocs":48},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":27,"category":28,"article_tags":32},"0af87a28-2fd0-46d7-a864-433924d23c10","Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks","cisco-fixes-sd-wan-vmanage-flaw-exploited-in-zero-day-attacks-a6ba0e","Cisco has released security updates to address a vulnerability in the Catalyst SD-WAN Manager, tracked as CVE-2026-20262, that was exploited in attacks to escalate to root privileges. [...]","Cisco has released security updates for a critical vulnerability in its Catalyst SD-WAN Manager, tracked as CVE-2026-20262. This flaw, which allows low-privilege attackers to escalate to root privileges by uploading crafted files, was actively exploited in the wild as a zero-day. The vulnerability affects all deployment types and Cisco urges customers to patch immediately.","Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks.","Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks By Sergiu Gatlan June 15, 2026 01:12 PM 0 Cisco has released security updates to address a vulnerability in the Catalyst SD-WAN Manager, tracked as CVE-2026-20262, that was exploited in attacks to escalate to root privileges. Formerly known as SD-WAN vManage, this network management software allows admins to manage up to 6,000 SD-WAN devices from a single dashboard. The now-patched zero-day security flaw affects all deployment types, regardless of device configuration, including on-prem deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). Cisco said the issue stems from insufficient validation of user-supplied input during file uploads, which can allow low-privilege remote attackers to execute arbitrary commands as root by sending crafted HTTP requests to an affected API endpoint. \"A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system,\" Cisco said in a Monday advisory. \"An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root.\" Cisco said its Product Security Incident Response Team (PSIRT) became aware of the exploitation of CVE-2026-20262 earlier this month and \"strongly\" advised customers to patch their systems. Cisco Catalyst SD-WAN Release First Fixed Release 20.9.9.1 and earlier 20.9.9.2 20.12.7.1 and earlier 20.12.7.2 20.15.4.4 and earlier 20.15.4.5 20.15.5.2 and earlier 20.15.5.3 20.18.3 20.18.3.1 26.1.1.1 and earlier 26.1.1.2 While the company did not share any details on these attacks, it shared indicators of compromise (IOCs) warning admins to check their SD-WAN vmanage-server, vmanage-appserver, and serviceproxy-access logs for attempts to upload index.jsp and .war files. In February, Cisco patched another Catalyst SD-WAN Manager information disclosure security flaw (CVE-2026-20133), flagged as actively exploited in late April, and, two weeks later, warned of two more flaws (CVE-2026-20128 and CVE-2026-20122)that were abused in the wild. Last month, it also tagged a maximum-severity Catalyst SD-WAN Controller authentication-bypass flaw (CVE-2026-20182) as actively exploited as a zero-day to gain admin privileges on unpatched devices. More recently, in early June, Cisco warned of one more unpatched Catalyst SD-WAN Manager zero-day (CVE-2026-20245) that was exploited in attacks, allowing attackers to gain root privileges. Over the last several years, the Cybersecurity and Infrastructure Security Agency (CISA) tagged 91 Cisco vulnerabilities as abused in the wild, five of them in Cisco Catalyst SD-WAN Manager and six others exploited in ransomware attacks. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Cisco warns of unpatched SD-WAN zero-day exploited in attacksCisco warns of new critical SD-WAN flaw exploited in zero-day attacksCISA flags new SD-WAN flaw as actively exploited in attacksOracle mitigates PeopleSoft zero-day exploited in data theft attacksMicrosoft Defender 'RoguePlanet' zero-day grants SYSTEM privileges","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcisco-fixes-sd-wan-vmanage-flaw-exploited-in-zero-day-attacks\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2024\u002F07\u002F18\u002FCisco.jpg","2026-06-15T17:12:42+00:00","2026-06-15T18:00:19.485403+00:00",9,[18,21,24],{"name":19,"type":20},"Catalyst SD-WAN Manager","product",{"name":22,"type":23},"Cisco","vendor",{"name":25,"type":26},"SD-WAN","technology","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":27,"icon":29,"name":30,"slug":31},null,"Vulnerabilities","vulnerabilities",[33,38,43],{"category":34},{"id":35,"icon":29,"name":36,"slug":37},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":39},{"id":40,"icon":29,"name":41,"slug":42},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":44},{"id":45,"icon":29,"name":46,"slug":47},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[49,53,56,59,61,64],{"type":50,"value":51,"context":52},"cve","CVE-2026-20262","Cisco Catalyst SD-WAN Manager vulnerability exploited in zero-day attacks.",{"type":50,"value":54,"context":55},"CVE-2026-20133","Previously patched Catalyst SD-WAN Manager information disclosure flaw.",{"type":50,"value":57,"context":58},"CVE-2026-20128","Previously patched Catalyst SD-WAN Manager flaw abused in the wild.",{"type":50,"value":60,"context":58},"CVE-2026-20122",{"type":50,"value":62,"context":63},"CVE-2026-20182","Previously patched Catalyst SD-WAN Controller authentication-bypass flaw.",{"type":50,"value":65,"context":66},"CVE-2026-20245","Previously patched Catalyst SD-WAN Manager zero-day exploited for root privileges."]