Cisco Patches Another SD-WAN Zero-Day Exploited in Attacks

Summary

Cisco has issued a warning about a zero-day vulnerability, CVE-2026-20262, affecting its Catalyst SD-WAN Manager. This medium-severity arbitrary file write flaw allows attackers with valid credentials to overwrite files on the underlying operating system, potentially leading to root privilege escalation. The vulnerability has reportedly been exploited in limited, targeted attacks, prompting CISA to add it to its Known Exploited Vulnerabilities catalog.

Full text

Cisco on Monday warned customers about yet another SD-WAN product zero-day exploited in attacks. The flaw, tracked as CVE-2026-20262, has been described as a medium-severity arbitrary file write issue affecting Catalyst SD-WAN Manager. An attacker can send specially crafted HTTP requests to an affected API endpoint to create or overwrite any file on the underlying operating system. “This file could later be used to elevate to root,” Cisco explained, adding, “To exploit this vulnerability, the attacker must have valid credentials with at least write access.” Cisco said it discovered the vulnerability internally and became aware of its exploitation in June 2026. It’s unclear whether CVE-2026-20262 has been chained with other vulnerabilities or whether the attackers abused compromised credentials. Advertisement. Scroll to continue reading. There does not appear to be any public information about attacks exploiting the new zero-day, and it’s unclear who is behind them. Cisco did mention that CVE-2026-20262 has been exploited in limited attacks, which suggests a highly-targeted operation by a sophisticated — possibly state-sponsored — threat actor. CISA added CVE-2026-20262 to its Known Exploited Vulnerabilities (KEV) catalog on Monday, instructing federal agencies to address it by June 29. This is the eighth Cisco SD-WAN vulnerability whose exploitation was detected in 2026. The list also includes CVE-2026-20182, CVE-2026-20127, CVE-2026-20128, CVE-2026-20122, CVE-2026-20133, CVE-2022-20775, and CVE-2026-20245. CVE-2026-20245 was disclosed by Cisco on June 4 as a zero-day, but it took nearly a week for the company to start releasing patches. Related: Ivanti Sentry Exploitation Attempts Hitting Honeypots Related: Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters Related: Hackers Exploit Langflow Vulnerability for Remote Code Execution Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Eduard Kovacs Maine Disables Data Breach Portal Due to Fake Submissions Industry Reactions to Claude Fable 5: Feedback FridayAnthropic Disputes Fable 5 AI JailbreakGoogle Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHuntersOracle Addresses PeopleSoft Vulnerability Amid Reports of Zero-Day AttacksSiemens Says Desigo CC Files Flagged as Malware by Security EnginesUniversity of Nottingham Confirms Breach After Hackers Leak DataMicrosoft Patches Exploited Exchange Server Vulnerability Latest News Ransomware Attack Shuts Down Mills of Australia’s Second-Largest Sugar ProducerChinese Hackers Target Medical, Military, and AI Research in North AmericaNewCore Emerges From Stealth Mode With $66 Million in FundingUkrainian Man Pleads Guilty in US to Conti Ransomware ChargesOzempic Maker Novo Nordisk Says Hackers Breached IT SystemsFrench Government Messaging Platform Breached by Mysterious ‘Misere’ HackerShinyHunters Claims Council of Europe HackFBI, Google Dismantle ‘Outsider Enterprise’ Phishing Service Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: How Modern Breaches Bypass MFA and Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation in the AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the MoveStephen Garcia has been named Chief Information Security Officer at BreachRx.Kasper Lindgaard has been appointed Vice President of Security Strategy at CoreView.Chaim Mazal has been named Chief Information Security Officer at GitLab.More People On The MoveExpert Insights After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) The Zero-Knowledge Threat Actor and the End of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-20262
• cve — CVE-2026-20182
• cve — CVE-2026-20127
• cve — CVE-2026-20128
• cve — CVE-2026-20122
• cve — CVE-2026-20133
• cve — CVE-2022-20775
• cve — CVE-2026-20245

Entities