Cisco Catalyst SD-WAN Manager arbitrary file write (CVE-2026-20262): what Hawaii businesses need to do
CVE-2026-20262 is an actively exploited zero-day in Cisco Catalyst SD-WAN Manager (formerly vManage). An authenticated attacker with low-privilege write access can create or overwrite any file on the underlying operating system through a crafted HTTP request, then escalate to root. Cisco PSIRT confirmed limited, targeted in-the-wild exploitation in June 2026, and CISA added the CVE to its Known Exploited Vulnerabilities catalog on June 15, 2026 with a federal remediation deadline of June 29, 2026. Hawaii multi-island businesses running Catalyst SD-WAN Manager should collect admin-tech files, apply the fixed software release, audit logs against Cisco’s published IOCs, and rotate write-access credentials this week.
Published · HI Tech Hui · ~10 min read
What CVE-2026-20262 is
CVE-2026-20262 is an arbitrary file write vulnerability (CWE-22, path traversal) in the web user interface of Cisco Catalyst SD-WAN Manager — the product Cisco renamed from vManage and the centralized control plane for Catalyst SD-WAN fabrics. The bug lives in how certain file upload API endpoints validate user-supplied filenames and destination paths. An authenticated attacker who already holds valid credentials with at least write access can send a crafted HTTP request to place a file at an arbitrary location on the underlying operating system.
From there, the documented escalation path is to drop a malicious .jsp webshell or .war archive into a directory the vManage application server will execute, which yields code execution. From application-context code execution the attacker pivots to root by overwriting system binaries, configuration files, or SSH authorized_keys entries. The official CVSS v3.1 score is 6.5 (Medium). The operational risk is materially higher than 6.5 implies, because Catalyst SD-WAN Manager orchestrates configuration push to every edge device in the fabric.
Why Hawaii businesses specifically should pay attention
Cisco Catalyst SD-WAN Manager is the control plane that many multi-site Hawaii organizations sit on top of. Common Hawaii profiles include:
- Hotel and resort groups with properties on multiple islands using SD-WAN to centralize policy.
- Healthcare systems with clinics across Oahu and neighbor islands.
- Supermarket chains and retail with point-of-sale traffic centralized through SD-WAN.
- State and county government agencies with multi-site operations.
- Telecom resellers and MSPs that manage SD-WAN on behalf of customers.
Compromise of the Manager is materially worse than compromise of an individual branch firewall because the attacker gains the ability to push configuration changes to every edge device in the fabric. The inter-island incident response timelines we covered in yesterday’s ransomware recovery playbook apply directly: containing a Manager compromise during a multi-island operation requires coordination that takes longer in Hawaii than on the mainland.
Confirmed exploitation timeline
The published timeline:
- Early June 2026 — Cisco PSIRT becomes aware of limited, targeted exploitation in the wild.
- June 15, 2026 — Cisco publishes security advisory cisco-sa-sdwan-arbfw-c2rZvQ and fixed software releases for CVE-2026-20262.
- June 15, 2026 — CISA adds CVE-2026-20262 to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of June 29, 2026 under BOD 22-01.
- June 16, 2026 — Mainstream security coverage confirms active zero-day exploitation; Qualys publishes detection signature QID 317858.
This is the second Cisco SD-WAN Manager KEV addition in June 2026 — CVE-2026-20245 (local privilege escalation requiring netadmin) was added on June 9 with a remediation deadline of June 23. Both should be remediated together. The Catalyst SD-WAN Manager platform has been the subject of eight confirmed exploitation events in 2026, including the May 14 unauthenticated authentication bypass (CVE-2026-20182) that supplied the credential path attackers chain into CVE-2026-20262.
Affected versions and fixed releases
From Cisco’s advisory:
| Affected release | Fixed release |
|---|---|
| 20.9.9.1 and earlier | 20.9.9.2 |
| 20.12.7.1 and earlier | 20.12.7.2 |
| 20.15.4.4 and earlier | 20.15.4.5 |
| 20.15.5.2 and earlier | 20.15.5.3 |
| 20.18.3 | 20.18.3.1 |
| 26.1.1.1 and earlier | 26.1.1.2 |
All deployment types are vulnerable: on-prem (ESXi, KVM, Hyper-V, bare metal), Cisco SD-WAN Cloud-Pro, Cisco-Managed Cloud, and Cisco SD-WAN for Government (FedRAMP). Edge devices (cEdge and vEdge routers) are not directly affected by CVE-2026-20262, but a compromised Manager can push configuration changes to them, so verifying edge configuration integrity after Manager remediation is appropriate.
What Hawaii businesses should do this week
1. Collect admin-tech files before any change
Cisco’s remediation procedure requires admin-tech files from every control component (vSmart, vManage, vBond) collected before any upgrade or configuration change, so diagnostic data and any potential IOCs are preserved for TAC analysis. Run admin-tech on each component with Log and Tech options selected. Note that vSmart admin-techs must not be run simultaneously — collect one at a time. Save the resulting bundles for upload to a TAC case.
2. Open a Cisco TAC case for IOC analysis
Open a Severity 3 case with “CVE-2026-20245, CVE-2026-20262” and the advisory IDs cisco-sa-sdwan-privesc-4uxFrdzx and cisco-sa-sdwan-arbfw-c2rZvQ in the title. Upload the admin-tech bundles. TAC analyzes for IOCs and provides remediation guidance. The IOC logs are also generated by legitimate operations, so manual review against your normal operational posture is required for any match.
3. Apply the fixed software release
Upgrade Catalyst SD-WAN Manager to the fixed release matching your train (table above). Follow Cisco’s documented upgrade procedure — database backup, snapshot, lab/staging validation, then production rollout — to avoid disrupting the fabric. There are no workarounds. Reducing exposure by restricting network access to the Manager UI via ACLs or a bastion host is a compensating control, not a substitute for patching.
4. Audit logs for IOCs (mandatory if Manager has been internet-reachable)
From vManage CLI, drop into vshell and run:
zgrep "SdraAnyConnectFileUploadHandler" /var/log/nms/vmanage-server.log*
zgrep "WFLYSRV0010" /var/log/nms/vmanage-appserver.log*
zgrep "POST" /var/log/nms/containers/service-proxy/serviceproxy-access.log*Repeat on every vManage in the deployment (cluster members and DR-paired Managers). Cross-reference any matching entries against expected operational activity. File-system check: look for unexpected .jsp or .war files outside the standard application deployment directory, particularly filenames matching Cisco’s published IOCs (index.jsp, suspicious.war).
5. Rotate credentials and harden the management plane
Review every account in SD-WAN Manager with write privileges. Remove write access that is not strictly necessary. Rotate credentials on all remaining write-access accounts. Enforce MFA on every SD-WAN Manager account — the broader case for phishing-resistant MFA on management systems is in our Entra passkeys piece. Rotate SNMP community strings, TACACS secret keys, VPN pre-shared keys, certificates, and any trusted SSH keys present in device configurations.
6. Reduce exposure surface
Catalyst SD-WAN Manager should never be directly internet-exposed. Restrict access to the web UI and API endpoints via network ACLs or a dedicated jump host. Segment the management network (out-of-band management) from data traffic so a compromise of one segment does not provide direct access to the management plane. If your current architecture exposes Manager to the internet, fix that now — patch first, then close the exposure.
How this fits the broader 2026 pattern
CVE-2026-20262 is the second Catalyst SD-WAN Manager KEV in two weeks and the eighth Cisco SD-WAN exploitation event in 2026. The pattern across our 2026 cybersecurity coverage is consistent: attackers are aggressively targeting the management plane of perimeter and network-orchestration products. We saw it with Palo Alto GlobalProtect (CVE-2026-0257), with SolarWinds Serv-U (CVE-2026-28318), with Check Point IKEv1 (CVE-2026-50751) earlier this week, and now twice with Catalyst SD-WAN Manager.
The buyer-side response is the same in every case. Inventory the management plane assets. Restrict their network exposure. Enforce phishing-resistant MFA on every administrative account. Maintain a documented patching SLA tied to the CISA KEV catalog, as we laid out in our 7-day SMB patching playbook. Audit the trust chain so that compromise of one credential does not give an attacker the keys to the entire fabric.
Sources
- Cisco: Remediate Catalyst SD-WAN Security Advisory — June 2026 (official remediation guide)
- CISA Known Exploited Vulnerabilities Catalog
- Canadian Centre for Cyber Security alert AV26-602
Running Cisco Catalyst SD-WAN Manager across multiple Hawaii sites and want a same-day exposure check? HI Tech Hui provides cybersecurity, managed IT, and 24/7 monitoring through our in-house SOC. Contact us for a no-pressure assessment.
Let’s scope your IT & security plan.
Talk with a Honolulu-based engineer about managed IT, cybersecurity, or a 24/7 SOC handoff. We’ll review your current environment, identify the highest-impact gaps, and outline a clear next step — with no obligation.
