defense · BleepingComputer
Cisco released security updates for CVE-2026-20262, a vulnerability in Catalyst SD-WAN Manager (formerly SD-WAN vManage) that was actively exploited in zero-day attacks. The flaw stems from insufficient validation of user-supplied input during file uploads, allowing authenticated remote attackers to execute arbitrary commands as root by sending crafted HTTP requests to an affected API endpoint. The vulnerability affects all deployment types—on-premises, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). Cisco's PSIRT became aware of exploitation earlier in June and released patched versions across multiple release branches. The company advised administrators to check SD-WAN vManage logs for attempts to upload index.jsp and .war files as indicators of compromise.
Defense contractors and government agencies operating SD-WAN infrastructure should prioritize patching, as Catalyst SD-WAN Manager is commonly deployed in environments handling controlled unclassified information (CUI) and subject to CMMC requirements. Network-management appliances are high-value targets for privilege escalation; an authenticated compromise to root on a centralized manager controlling thousands of edge devices represents significant lateral movement and persistence risk. Organizations should audit their SD-WAN deployment versions against Cisco's fixed-release table and verify no suspicious file uploads have occurred. An Omniware engagement can scope detection and response posture around SD-WAN infrastructure in detail.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/cisco-fixes-sd-wan-vmanage-flaw-exploited-in-zero-day-attacks/
Source: BleepingComputer
All briefings