CVE-2026-20262: Cisco Catalyst SD-WAN Manager Directory Path Traversal
A high-severity path traversal vulnerability has been discovered in Cisco Catalyst SD-WAN Manager that allows an authenticated remote attacker to create or overwrite any file on the filesystem of an affected system. The flaw was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on June 15, 2026, confirming active exploitation in the wild.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-20262 |
| Vendor | Cisco |
| Product | Catalyst SD-WAN Manager |
| CWE | Directory or Path Traversal |
| Attack Vector | Network (remote, authenticated) |
| Authentication Required | Yes (low-privilege account sufficient) |
| CISA KEV Added | June 15, 2026 |
| Exploitation Status | Actively exploited in the wild |
Technical Description
The vulnerability exists in Cisco Catalyst SD-WAN Manager due to improper validation of file paths in an API handler. By supplying a specially crafted path containing directory traversal sequences (e.g., ../../), an authenticated attacker can escape the intended restricted directory and interact with arbitrary locations on the underlying filesystem.
A successful exploit allows the attacker to:
- Create new files in any writable location on the filesystem
- Overwrite existing files, including critical system configuration, authentication, or executable files
- Achieve persistence by writing to init/startup paths or cron directories
- Escalate privileges by overwriting files owned by root or the SD-WAN process user
Attack Chain
Attacker (authenticated, remote)
│
▼
Cisco SD-WAN Manager API endpoint
│ Crafted path: /api/upload?path=../../etc/cron.d/backdoor
▼
Path traversal bypasses directory restriction
│
▼
Arbitrary file write on host filesystem
│
├── Overwrite /etc/passwd or /etc/shadow
├── Write cron job for persistent access
└── Replace SD-WAN configuration files
Impact
Cisco Catalyst SD-WAN Manager is the centralized orchestration and management plane for enterprise SD-WAN deployments. Compromise of this component can have far-reaching effects across all managed network sites.
| Impact Area | Description |
|---|---|
| Integrity | Attacker can modify any file, including security-critical OS and application files |
| Availability | Overwriting configuration or binary files can crash SD-WAN services or the management system |
| Confidentiality | Attacker may overwrite log-rotation configs to suppress evidence, or write credential-harvesting hooks |
| Network-Wide Impact | SD-WAN Manager controls routing policy and segmentation for all managed branch sites |
| Lateral Movement | Compromised management plane enables configuration changes that pivot access to branch devices |
Affected Systems
Organizations running Cisco Catalyst SD-WAN Manager should immediately consult the Cisco Security Advisory for the complete list of affected and fixed software versions. Systems where the SD-WAN Manager API is accessible from untrusted or internet-facing networks are at significantly elevated risk.
Remediation
Immediate Actions
- Apply Cisco patches — check the official Cisco Security Advisory for CVE-2026-20262 to obtain fixed software versions
- Restrict API access — limit access to the SD-WAN Manager interface to trusted management IP ranges using ACLs or firewall rules; the management API should never be exposed to the internet
- Audit file system for unauthorized changes — review recently modified files in key directories for evidence of exploitation
Network Segmentation (Immediate Mitigation)
# Block internet access to SD-WAN Manager management ports
# Apply on perimeter firewall or upstream ACL
# Allow only trusted management subnets
iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
# Also restrict alternate management port if used
iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 8443 -j ACCEPT
iptables -A INPUT -p tcp --dport 8443 -j DROPDetection: Filesystem Integrity
# Check for recently modified critical files
find /etc -newer /var/lib/dpkg/info/coreutils.list -ls 2>/dev/null
# Monitor for unexpected writes in SD-WAN directories
auditctl -w /opt/sdwan/ -p wa -k sdwan_write
auditctl -w /etc/cron.d/ -p wa -k cron_write
auditctl -w /etc/passwd -p wa -k passwd_write
# Review results
ausearch -k sdwan_write --start today
ausearch -k cron_write --start todayDetection: API Log Review
# Search SD-WAN Manager API logs for traversal sequences
grep -Ei '(\.\./|%2e%2e%2f|%252e%252e%252f)' /var/log/vmanage/access.log
# Flag any file-upload or file-write API calls from unexpected source IPs
grep -E 'POST.*(upload|file|write)' /var/log/vmanage/access.log | \
awk '{print $1}' | sort | uniq -c | sort -rn | head -20CISA KEV Guidance
CISA has added CVE-2026-20262 to the Known Exploited Vulnerabilities catalog. Federal Civilian Executive Branch (FCEB) agencies must remediate this vulnerability by the mandated due date. All organizations should treat this as an emergency priority given confirmed in-the-wild exploitation — path traversal vulnerabilities with authenticated file-write capability are reliably escalated to full system compromise by threat actors.
Key Takeaways
- CVE-2026-20262 is a path traversal flaw in Cisco Catalyst SD-WAN Manager allowing arbitrary file creation or overwrite by any authenticated remote user
- Actively exploited — the CISA KEV addition as of June 15, 2026 confirms real-world attacks; patch or mitigate immediately
- SD-WAN Manager is a high-value target — it controls network-wide routing and security policies across all managed branch sites
- Authentication does not mean low risk — attackers routinely obtain valid credentials through phishing, credential stuffing, or existing footholds; even "authenticated only" flaws must be treated as critical in management-plane systems
- Restrict API access now — if patching is not immediately possible, network-level access control is the most effective mitigation