Cisco Patches Actively Exploited SD-WAN Manager Zero-Day Vulnerability

Cisco has released security updates addressing a critical zero-day vulnerability in its Catalyst SD-WAN Manager, formerly known as SD-WAN vManage. Tracked as CVE-2026-20262, the flaw allows an authenticated, remote attacker to write arbitrary files or escalate privileges to root. The company confirmed it became aware of active exploitation in attacks.

The vulnerability carries a CVSS score of 6.5 out of 10.0, placing it at medium severity. Despite the relatively moderate score, its exploitation in the wild has raised alarm. The flaw targets the web UI of the SD-WAN management platform, which plays a central role in network orchestration for enterprise customers.

An attacker with valid credentials can leverage the vulnerability to write malicious files onto the system, potentially leading to full root access. This could enable adversaries to tamper with network configurations, extract sensitive data, or pivot to other connected systems. Indicators of compromise have not been publicly detailed by Cisco.

Patches are now available through Cisco's software update channels. The company has not released a workaround, urging all customers running vulnerable versions of Catalyst SD-WAN Manager to apply the updates immediately. No timeline for additional fixes has been provided.

The zero-day adds to a growing list of actively exploited vulnerabilities in Cisco's SD-WAN portfolio this year, underscoring persistent interest from attackers in network management infrastructure. While no attribution has been made, the incident aligns with increasing state-sponsored targeting of enterprise orchestration tools.