CVE-2026-20262 is an arbitrary file write vulnerability affecting Cisco Catalyst SD-WAN Manager.
The vulnerability is caused by improper file handling within the application. An authenticated remote attacker may exploit the flaw by sending crafted requests to vulnerable interfaces, allowing arbitrary files to be written or overwritten on the underlying file system.
Successful exploitation could enable attackers to modify system files, alter application behavior, compromise system integrity, establish persistence, and facilitate further attacks against SD-WAN management infrastructure.
Cisco PSIRT reported becoming aware of limited exploitation of this vulnerability in June 2026.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
Cisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerability
Identifier: CVE-2026-20262
PoC or Exploitation:
Cisco PSIRT reported becoming aware of limited exploitation of CVE-2026-20262 in June 2026.
CVSS Score: 6.5 (Medium, CVSS v3.1)
Update / Patch:
Cisco has released software updates that address this vulnerability and strongly recommends customers upgrade to a fixed software release.
Affected Product
Cisco Catalyst SD-WAN Manager
Affected deployment types include:
On-Prem Deployment
Cisco SD-WAN Cloud-Pro
Cisco SD-WAN Cloud (Cisco Managed)
Cisco SD-WAN for Government (FedRAMP)
Fixed Versions
Affected Release: 20.9.9.1 and earlier
First Fixed Release: 20.9.9.2
Affected Release: 20.12.7.1 and earlier
First Fixed Release: 20.12.7.2
Affected Release: 20.15.4.4 and earlier
First Fixed Release: 20.15.4.5
Affected Release: 20.15.5.2 and earlier
First Fixed Release: 20.15.5.3
Affected Release: 20.18.3
First Fixed Release: 20.18.3.1
Affected Release: 26.1.1.1 and earlier
First Fixed Release: 26.1.1.2
Cisco advisory and remediation guidance:
Description:
CVE-2026-20262 is an arbitrary file write vulnerability affecting Cisco Catalyst SD-WAN Manager.
The vulnerability is caused by improper file handling within the application. An authenticated remote attacker could exploit the flaw by sending crafted requests to vulnerable interfaces, allowing arbitrary files to be written or overwritten on the underlying file system.
Successful exploitation could allow an attacker to modify system files, alter application behavior, compromise system integrity, establish persistence, or facilitate further attacks against the affected SD-WAN management infrastructure.
Mitigation Recommendation:
Immediately upgrade affected Cisco Catalyst SD-WAN Manager deployments to the appropriate fixed software release.
Prioritize remediation of internet-accessible and externally reachable SD-WAN Manager instances.
Review Cisco SD-WAN Manager logs, audit records, and administrative activity for indicators of unauthorized file creation, modification, or suspicious API activity.
Investigate unexpected configuration changes, newly created files, modified files, or anomalous system behavior that could indicate exploitation.
Restrict administrative access to trusted management networks and authorized personnel.
Implement network segmentation and access controls to limit exposure of management interfaces.
Conduct compromise assessments on vulnerable deployments, particularly those exposed to untrusted networks.