Six Cisco SD-WAN Zero-Days in One Year. The Brain of the Network Has Been Open All Along.
- Patrick Duggan
- 8 hours ago
- 5 min read
On June 5, we wrote that the Cisco Catalyst SD-WAN Manager had just grown a new zero-day and that anyone tracking this product line should not be surprised. The May post we referenced in that piece mapped the four CVEs that landed in the CISA Known Exploited Vulnerabilities catalog on the same day, and made a point about the shape: SD-WAN Manager is the single brain that pushes configuration to every edge device in the fabric. When the brain has multiple independent flaws, the question is not whether a sophisticated actor will chain them — it is how many chains they will find before you patch the ones you know about.
CVE-2026-20262 is the answer to that question as of June 15. It is the sixth Cisco SD-WAN vulnerability whose active exploitation was confirmed in 2026. The CISA mandate for federal agencies landed three days ago. The underlying problem it represents has not changed since May.
What the sixth vulnerability is
CVE-2026-20262 is a path traversal vulnerability in Cisco Catalyst SD-WAN Manager. The attack vector is an HTTP request to an affected API endpoint — authenticated, but the authentication bar for SD-WAN Manager has already been demonstrated to be achievable via the prior bugs in this chain. The flaw allows an attacker to create or overwrite any file on the underlying operating system of the affected system. A crafted file in the right location becomes root privilege escalation. Directory traversal, arbitrary file write, root. That is the chain.
This is related to but distinct from CVE-2026-20245, the command injection bug we covered on June 5, which also requires uploading a crafted file to the affected system and also results in root via arbitrary command execution. The two bugs are siblings — same rough anatomy, different code paths, different CVEs, both now in the KEV catalog.
The six in sequence
To understand why this matters as a pattern and not just as a patch note, here is the full list of Cisco Catalyst SD-WAN CVEs whose exploitation was confirmed in 2026, in the order they became known:
[CVE-2022-20775](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2022-20775) — Path traversal in the SD-WAN CLI. An old one that an authenticated local attacker could use for elevated privileges. CISA added it to KEV in February 2026, years after initial disclosure, because it was being actively used again.
[CVE-2026-20127](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-20127) / [CVE-2026-20122](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-20122) / [CVE-2026-20128](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-20128) / [CVE-2026-20133](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-20133) — Four vulnerabilities added to the KEV catalog in a single day in May 2026. Multiple authentication bypass and privilege escalation paths. The day CISA added all four together, we wrote that the cluster shape — same product, same day, four different code paths — was the tell. When you find four bugs in a brain simultaneously, someone has been inside looking.
[CVE-2026-20182](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-20182) — Authentication bypass in the peering authentication mechanism of SD-WAN Controller and Manager. Discovered by Rapid7, reported in March, active exploitation detected by May. Post-exploitation activity observed: SSH key injection, NETCONF configuration modification, tenant configuration data exfiltrated to vSmart controllers via a system script. Root privilege escalation attempts. This is the one attributed to UAT-8616.
[CVE-2026-20245](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-20245) — Command injection, root via crafted file upload. Unpatched at the time of our June 5 post. Mandiant reported this. Added to KEV June 9, 2026.
[CVE-2026-20262](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-20262) — Path traversal, arbitrary file write, root. Added to KEV June 15, 2026. The sixth.
UAT-8616 and what sophistication looks like in practice
CVE-2026-20182 carries attribution: Rapid7 and subsequent reporting name UAT-8616, described as a highly sophisticated threat actor. The post-exploitation behavior documented from this actor is worth reading carefully because it describes what a competent attacker does when they have the brain of a network fabric.
First, they inject SSH keys. This gives them persistent remote access to the management plane that survives reboots, password rotations, and most incident response procedures that do not specifically hunt for unauthorized SSH keys. Second, they manipulate the NETCONF configuration. NETCONF is the protocol SD-WAN Manager uses to push configuration to every edge device; an attacker who can write NETCONF is an attacker who can reach every router in the fabric from the management plane. Third, they exfiltrate tenant configuration data — the full picture of the network topology, IP addressing, routing policies, and security configurations. Fourth, post-exploitation payloads observed across ten activity clusters include cryptocurrency miners, credential stealers, backdoors, and webshells, which tells you this actor monetizes access across multiple streams rather than pursuing a single objective.
None of those actions require a zero-day after the initial breach. Once you are in SD-WAN Manager with administrative access, the network is yours. The zero-days are the door. The sophistication is what happens once the door is open.
The shape we flagged in May and why it matters
The point we made when four Cisco CVEs landed in KEV on the same day was about concentration risk. SD-WAN Manager is not one target among many. It is the single administrative control plane for an entire WAN fabric. An attacker who controls it does not need to compromise individual routers. They push policy to all of them simultaneously. Every edge device in the fabric trusts configuration that originates from Manager because that is the architecture's design.
That design assumption — that the management plane is trustworthy because it is the management plane — is what six CVEs in one year are systematically dismantling. Each new vulnerability is another demonstration that the design assumption was not earned. The management plane is reachable, its authentication can be bypassed or chained around, and once inside it, the attacker has inherited the trust relationship the architecture built.
The six CVEs are not six independent bugs. They are six independent routes into the same trusted position.
What to do
If you are running Cisco Catalyst SD-WAN Manager, the patches for CVE-2026-20262 and CVE-2026-20245 should both be applied. The federal deadline for CVE-2026-20262 under the CISA KEV mandate was June 18. If you are a civilian agency and have not patched, you are now overdue.
Beyond patching: network segmentation of the management plane is the structural defense. SD-WAN Manager should not be internet-reachable. SSH key audits should run after any SD-WAN Manager patch cycle — UAT-8616's persistence mechanism is key injection, and a stale authorized_keys file after an incident is indistinguishable from a clean one without an explicit audit. NETCONF logs are worth reviewing for configuration pushes that did not originate from your change management process.
The six-in-one-year count will likely grow. The product is under active research by sophisticated actors who have demonstrated they can find independent code paths to the same privileged position. The next one will not be the last one.
We beat the CISA mandate on the SD-WAN chain in our May coverage. We had the June 5 post on CVE-2026-20245 ten days before it landed in KEV. CVE-2026-20262 was in KEV three days ago. We are not predicting what CVE-2026-20263 looks like. We are observing that the pattern of discovery suggests it exists.
The threat feed this post is built on
1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.
Comments