Cisco patches CVE-2026-20262 after root escalation attacks

CVE-2026-20262 exploited – Cisco has released security updates for a Catalyst SD-WAN Manager flaw, CVE-2026-20262, that was exploited to escalate from low privileges to root. The patch applies across deployment types, and Cisco says its PSIRT urged customers to update after becoming awa

A fresh patch has been released by Cisco after attackers used a Catalyst SD-WAN Manager vulnerability to climb all the way to root.

The company’s Monday advisory addresses a flaw tracked as CVE-2026-20262. Cisco says the vulnerability was exploited to escalate privileges in attacks, with the underlying issue tied to insufficient validation of user-supplied input during file uploads.

Catalyst SD-WAN Manager—formerly known as SD-WAN vManage—sits at the center of network administration. letting admins manage up to 6. 000 SD-WAN devices from a single dashboard. Cisco’s fix targets Catalyst SD-WAN Manager, including deployments that administrators may not assume are exposed in the same way. The company says the now-patched zero-day affects all deployment types, regardless of device configuration. That includes on-prem deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).

Cisco describes the path to compromise as straightforward and brutal. The flaw affects the web UI and could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.

Cisco says an attacker could send a crafted HTTP request to an affected API endpoint. If successful, the attacker could create or overwrite files on the underlying operating system, and that file could later be used to elevate privileges to root.

Cisco also points to what defenders should do now. The company says its Product Security Incident Response Team (PSIRT) became aware of exploitation of CVE-2026-20262 earlier this month and “strongly” advised customers to patch their systems.

Cisco’s patched releases span multiple product lines and version ranges. For 20.9.9.1 and earlier, the first fixed release is 20.9.9.2. For 20.12.7.1 and earlier, it’s 20.12.7.2. For 20.15.4.4 and earlier, it’s 20.15.4.5. For 20.15.5.2 and earlier, it’s 20.15.5.3. For 20.18.3, the first fixed release is 20.18.3.1. For 26.1.1.1 and earlier, it’s 26.1.1.2.

Cisco didn’t provide details about the attacks themselves, but it did share indicators of compromise. Administrators are warned to check their SD-WAN vmanage-server, vmanage-appserver, and serviceproxy-access logs for attempts to upload index.jsp and .war files.

The update lands in a run of troubling Catalyst SD-WAN Manager security advisories. In February, Cisco patched another information disclosure flaw—CVE-2026-20133—flagged as actively exploited in late April. Two weeks later. Cisco warned of two more flaws. CVE-2026-20128 and CVE-2026-20122. that were also abused in the wild. Last month. Cisco tagged a maximum-severity Catalyst SD-WAN Controller authentication-bypass flaw—CVE-2026-20182—as actively exploited as a zero-day to gain admin privileges on unpatched devices.

And the cadence didn’t slow: in early June, Cisco warned of another unpatched Catalyst SD-WAN Manager zero-day, CVE-2026-20245, exploited in attacks that allowed attackers to gain root privileges.

Cisco also notes broader exposure trends. Over the last several years. the Cybersecurity and Infrastructure Security Agency (CISA) has tagged 91 Cisco vulnerabilities as abused in the wild. Five of those are listed as Cisco Catalyst SD-WAN Manager vulnerabilities, and six others were exploited in ransomware attacks.

The immediate message for organizations running Cisco’s SD-WAN management software is clear: the company has now moved the root-escalation path into the past for patched systems, but defenders have to act fast to close the gap on any unupdated deployments.

Cisco Catalyst SD-WAN Manager SD-WAN vManage CVE-2026-20262 zero-day root privileges SD-WAN Cloud-Pro FedRAMP PSIRT IOCs index.jsp .war files cybersecurity