Cisco has launched safety updates for a medium-severity safety flaw in Catalyst SD-WAN Supervisor that has come underneath lively exploitation within the wild.
The vulnerability, tracked as CVE-2026-20262, carries a CVSS rating of 6.5 out of 10.0.
“A vulnerability within the internet UI of Cisco Catalyst SD-WAN Supervisor, previously SD-WAN vManage, may permit an authenticated, distant attacker to create a file or overwrite any file on the filesystem of an affected system,” Cisco stated in an advisory.
The problem, the networking gear firm added, stems from insufficient validation of user-supplied enter throughout a file add course of. An attacker may exploit this habits to create or overwrite any file on the underlying working system by sending crafted HTTP requests to an affected API endpoint.
This, in flip, might be weaponized to raise to the basis. Nonetheless, profitable exploitation hinges on the attacker already having legitimate credentials with at the very least write entry.
The vulnerability impacts the next merchandise whatever the deployment kind –
- Cisco Catalyst SD-WAN Supervisor On-Prem
- Cisco SD-WAN Cloud-Professional
- Cisco SD-WAN Cloud (Cisco Managed)
- Cisco SD-WAN for Authorities (FedRAMP)
Patches have been launched to deal with the problem –
- Cisco Catalyst SD-WAN Launch 20.9.9.1 and earlier – Mounted in 20.9.9.2
- Cisco Catalyst SD-WAN Launch 20.12.7.1 and earlier – Mounted in 20.12.7.2
- Cisco Catalyst SD-WAN Launch 20.15.4.4 and earlier – Mounted in 20.15.4.5
- Cisco Catalyst SD-WAN Launch 20.15.5.2 and earlier – Mounted in 20.15.5.3
- Cisco Catalyst SD-WAN Launch 20.18.3 – Mounted in 20.18.3.1
- Cisco Catalyst SD-WAN Launch 26.1.1.1 and earlier – Mounted in 26.1.1.2
Cisco stated it “turned conscious of restricted exploitation of this vulnerability” in June 2026, including it was found throughout inside safety testing.
The corporate has additionally shared indicators of compromise related to the malicious exercise, urging prospects to audit “/var/log/nms/vmanage-server.log” for suspicious WAR file uploads as beneath –
11-June-2026 03:53:37,310 EDT INFO [a66cdc5f-807d-4c23-944e-5c809a2ece6b] [server] [SdraAnyConnectFileUploadHandler] (default task-40704) |default| uploaded Distant Entry Anyconnect profile file: ../../../../var/lib/wildfly/standalone/deployments/suspicious.warfare to vManage.
Different indicators embrace makes an attempt to deploy malicious code and work together with it, though Cisco has warned that they might not “constantly seem” in each incident log. The follow-on actions associated to this vulnerability are –
CVE-2026-20262 is the eighth safety flaw impacting Cisco SD-WAN to be flagged as actively exploited this 12 months alone after CVE-2026-20245, CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, and CVE-2022-20775. The exploitation of a few of these flaws has been attributed to a sophisticated persistent risk (APT) actor named UAT-8616.
The event has prompted the U.S. Cybersecurity and Infrastructure Safety Company (CISA) to add the flaw to its Recognized Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Govt Department (FCEB) businesses to use the fixes by June 29, 2026.
![How creators and entrepreneurs are utilizing AI to hurry up & succeed [data]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Untitled20design-Apr-07-2023-08-24-35-4586-PM-120x86.png)
