CVE-2026-20262 Is The Seventh Cisco SD-WAN Zero-Day In Thirteen Months. The Brain Of The Network Is Still Open.

CVE-2026-20262 is a path traversal vulnerability in Cisco Catalyst SD-WAN Manager that allows an authenticated, remote attacker to write or overwrite any file on the filesystem of an affected system. CISA added it to the Known Exploited Vulnerabilities catalog on June 15, 2026. The federal remediation deadline is June 29. Cisco confirmed limited active exploitation in targeted attacks.

We have written about this product three times in the last six weeks. On May 16, we documented the day CISA added four Cisco Catalyst SD-WAN Manager CVEs simultaneously and explained why chaining them takes an attacker from an anonymous HTTP request to owning every router in the fabric. On June 5, we wrote that CVE-2026-20245 — the fifth CVE in the same product — had landed in KEV while unpatched and actively exploited. On June 18, we counted six CVEs in one year and noted that the pattern was not coincidence but architecture. CVE-2026-20262 is the seventh.

The technical detail that matters most about this one is in the indicators of compromise Cisco released. Admins are told to check vmanage-server logs, vmanage-appserver logs, and serviceproxy-access logs for attempts to upload index.jsp and .war files. Those file types are the signature. An index.jsp in an unexpected location on an SD-WAN Manager system is a webshell. A .war file upload is a Java web archive that deploys as a web application, giving the attacker a persistent, server-side execution environment that survives reboots and survives most endpoint detection scans because it lives inside the Java application server rather than as a standalone executable. The exploitation chain for CVE-2026-20262 is: send a crafted HTTP request to the affected API endpoint with a malicious file payload, write index.jsp or a .war archive to a web-accessible path, and execute arbitrary commands as root. The CVSS is 6.5 because the attacker needs authentication. In practice, authentication on a system with six prior KEV entries — including auth bypass CVEs — is not a meaningful barrier.

The most relevant KEV entry to pair with CVE-2026-20262 is CVE-2026-20182, which reached KEV on May 14, 2026. That one is an authentication bypass — an unauthenticated remote attacker can obtain administrative privileges. CVE-2026-20182 plus CVE-2026-20262 is an unauthenticated file write to root execution chain. Neither CVE requires the other in isolation. Together, they are a complete unauthenticated root compromise of the single management plane that controls every edge device in an SD-WAN fabric.

The architecture is what we have been writing about since May. Cisco Catalyst SD-WAN Manager is not a router. It is the brain. It is the single console that pushes configuration, software updates, and policy to every edge device in the network fabric. A compromise of SD-WAN Manager is not a compromise of one device. It is a compromise of the configuration authority for every device. An attacker with a webshell on SD-WAN Manager can push malicious configuration to every edge router simultaneously, intercept traffic flows, reroute traffic through attacker-controlled paths, and maintain persistent access through configuration that gets pushed back to every device on each policy sync. The blast radius is the entire network fabric, not the single management node.

Cisco described the active exploitation as limited and targeted, which is the language vendors use when they believe a nation-state or sophisticated criminal actor is the operator rather than commodity scanning. The targeted framing is consistent with what a weaponized SD-WAN Manager compromise enables — mass network compromise with persistent reconfiguration authority is not a ransomware operator's tool. It is an espionage operator's tool. You do not need to ransomware a network you can intercept.

The seven-CVE count in thirteen months is worth stating plainly because the number carries a meaning that vendor disclosure language tends to obscure. Each disclosure is presented as an individual vulnerability in an individual product. The pattern they form together is a product line with a fundamental security architecture problem. Seven independently exploitable flaws in the same management plane in thirteen months is not a patch cadence issue. It is a signal that the attack surface has not been structurally reduced, only patched patch by patch, and that each patch cycle is discovering the next exploitable variant rather than closing the underlying surface. The researchers who found CVE-2026-20262 found it in June. They were not the only people looking.

The three actions are the same actions they have been since May. First, check the vmanage-server, vmanage-appserver, and serviceproxy-access logs for index.jsp and .war file upload attempts before applying the patch, because if exploitation has already occurred, patching closes the door after the webshell is already inside. Second, apply the patch and confirm CVE-2026-20182 is also remediated, because the auth bypass is the unauthenticated entry point for the file write. Third, audit the configuration that SD-WAN Manager has pushed to edge devices in the last thirty days for unexpected policy changes, because a motivated attacker who had access during the window may have used it to plant configuration rather than just stage a shell.

We will not claim this is the last CVE in this product line. We claimed that would happen in May and got proven right three times. The seven we have documented are the ones that made KEV. The ones that made KEV are the ones that were actively exploited before disclosure. The shape of the product's vulnerability history says the surface is still there.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register