Cisco disclosed CVE-2026-20262 on June 15, 2026, a path traversal vulnerability in the Catalyst SD-WAN Manager web UI. An authenticated attacker with write access can create or overwrite arbitrary files on the underlying filesystem; the created file can then be used to elevate privileges to root. The vulnerability was already being exploited in the wild when it was discovered during Cisco's internal security testing. It is the eighth actively exploited SD-WAN vulnerability in 2026.
- CVE-2026-20262 carries a CVSS 6.5 (Medium): requires valid credentials with write access, enables arbitrary file write leading to root elevation
- The earliest indicators of compromise date to June 11, 2026, showing upload of .war files to /var/lib/wildfly/standalone/deployments/ and automatic deployment on WildFly
- Patches cover six specific releases (20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2), identical to those released for CVE-2026-20245 two weeks prior
- CISA added CVE-2026-20262 to the KEV catalog on June 15, 2026, with a June 29, 2026 deadline: federal agencies have 14 days to patch, with no alternative workarounds
The Mechanism: Path Traversal with Arbitrary File Write
The vulnerability stems from insufficient user input validation during a file upload procedure in the Catalyst SD-WAN Manager web UI. According to the official Cisco advisory, an authenticated attacker with at least write access can craft an HTTP request with directory traversal (../../../../) to force file writes outside the intended directory.
The target path observed in logs is /var/lib/wildfly/standalone/deployments/, a directory monitored by the WildFly Java application server. .war files dropped in this directory are automatically deployed as web applications. The Cisco advisory explicitly states: "A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root."
Privilege escalation requires subsequent actions not detailed in the sources. The vulnerability requires valid credentials; it is not a pre-authentication exploit. This constraint limits the attack surface but not the severity, given that compromised credentials are an established vector in management infrastructure intrusions.
Timeline and Indicators of Compromise
Cisco PSIRT became aware of "limited exploitation" in June 2026. The vulnerability was found during "internal security testing." The sequence — exploitation in the wild preceding or concurrent with internal discovery — is documented in the sources as fact.
The earliest indicators of compromise date to June 11, 2026, at 03:53 EDT. The vmanage-server.log records the upload of "Remote Access Anyconnect profile file: ../../../../var/lib/wildfly/standalone/deployments/suspicious.war." Subsequently, vmanage-appserver.log confirms "Deployed suspicious.war," while serviceproxy-access.log documents a POST request to /suspicious/index.jsp from IP 1.1.1.54, also dated June 11.
The sources do not specify exactly when exploitation began. No infrastructure overlaps linking CVE-2026-20262 to UAT-8616 or other threat actors have emerged to date. The Hacker News suggests a partial attribution to UAT-8616, but other sources maintain caution on this point.
The Pattern: Eight SD-WAN Vulnerabilities in 2026
CVE-2026-20262 is the eighth actively exploited Cisco SD-WAN vulnerability in 2026. The list includes CVE-2026-20245, CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, CVE-2026-20262, and CVE-2022-20775. The latter is from 2022, used in a chain by UAT-8616; it is not a new 2026 vulnerability.
"Whether all of these vulnerabilities have been leveraged by the same threat group remains unknown, but the sustained, methodical focus on the platform suggests a determined adversary with deep familiarity with Cisco's SD-WAN architecture" — Help Net Security
The concentration of attacks on a single management plane platform is documented in the sources. CVE-2026-20245, disclosed on June 5, presents a technically analogous pattern: authenticated access to the management plane with exploitation of the same component. Patches for both vulnerabilities cover the same six releases, but sources do not confirm whether the two vulnerabilities were fixed simultaneously during the same development cycle.
Immediate Actions
The releases to verify are 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2. Cisco explicitly states that no workarounds exist; patching is the only available mitigation.
For US federal agencies: CISA has activated the BOD 26-04 procedure with a remediation deadline of June 29, 2026. The 14-day period reflects the risk-based patching introduced by the directive. Help Net Security notes: "The 14-days-long remediation period is consistent with the requirements laid out in CISA's new Binding Operational Directive, which orders agencies to prioritize security updates based on risk."
SOC teams should search vmanage-server.log, vmanage-appserver.log, and serviceproxy-access.log for upload patterns to /var/lib/wildfly/standalone/deployments/ and suspicious POST requests to unauthorized .war paths. The IoCs published by Cisco include precise timestamps enabling fine-tuning of detection queries.
Analysis: Known Limits
The following statements are editorial inferences based on documented patterns, not facts verified in the brief:
- Whether CVE-2026-20262 was chained with other vulnerabilities beyond credential compromise
- Whether the same threat group (UAT-8616 or others) is responsible for CVE-2026-20262
- Whether patches for CVE-2026-20245 and CVE-2026-20262 were developed simultaneously
- Exactly when exploitation began (before June 11, 2026?)
- Whether the vulnerability was discovered independently by attackers or derived from previous patches
Attribution to specific threat actors remains unconfirmed: sources do not document tactical or infrastructure overlaps between CVE-2026-20262 IoCs and publicly attributed campaigns. The lack of workarounds and the 14-day CISA deadline make patching a priority for all organizations managing Catalyst SD-WAN Manager instances in affected releases.
Information has been verified against cited sources and is current as of publication.
Sources
- https://www.helpnetsecurity.com/2026/06/16/cisco-sd-wan-cve-2026-20262-exploited/
- https://thehackernews.com/2026/06/cisco-releases-security-updates-for.html
- https://www.securityweek.com/cisco-patches-another-sd-wan-zero-day-exploited-in-attacks/
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ
- https://www.cisa.gov/news-events/alerts/2026/06/15/cisa-adds-two-known-exploited-vulnerabilities-catalog
- https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html
- https://www.helpnetsecurity.com/2026/06/05/cisco-sd-wan-cve-2026-20245-0-day-exploited/
- https://www.helpnetsecurity.com/2026/06/11/cisa-risk-based-vulnerability-management-government/
- https://www.helpnetsecurity.com/2026/05/15/cisco-sd-wan-zero-day-cve-2026-20182/