Cisco SD-WAN vManage Zero-Day Vulner Vulnerability Exploited

Cisco has disclosed a critical security vulnerability in its Catalyst SD-WAN Manager (formerly vManage) that is now actively exploited in zero-day attacks. This revelation raises significant concern for enterprise network environments worldwide.

The vulnerability, tracked as CVE-2026-20262, is an arbitrary-file-write flaw in the web-based management interface. It carries a CVSS score of 6.5 and stems from improper validation of user-supplied input during file upload operations.

According to Cisco, attackers with valid credentials and write-level access can exploit this flaw to upload crafted files to targeted systems. Once exploited, the vulnerability allows an attacker to create or overwrite files anywhere on the underlying operating system.

Cisco SD-WAN vManage Vulnerability

This capability can be leveraged to deploy malicious payloads, including web shells, and potentially escalate privileges to root level, significantly increasing the severity of the attack.

Cisco’s Product Security Incident Response Team (PSIRT) confirmed that the vulnerability has already been observed in limited real-world exploitation as of June 2026.

This places the flaw in the category of zero-day vulnerabilities, where attackers can exploit it before widespread patching occurs.

The issue affects all deployment models of Cisco Catalyst SD-WAN Manager, including on-premises systems, Cisco SD-WAN Cloud, Cloud-Pro, and FedRAMP environments.

Notably, there are no available workarounds, making immediate patching the only effective mitigation. Security researchers highlight that internet-exposed SD-WAN management interfaces are the most at risk.

Attackers can exploit exposed API endpoints by crafting HTTP requests to upload malicious files. One example includes uploading a WAR file to sensitive directories using directory traversal techniques. Cisco has provided specific Indicators of Compromise (IOCs) to help organizations detect potential exploitation.

Suspicious activity may appear in log files such as:

• vmanage-server.log showing unauthorized file uploads, including paths like “../../../../var/lib/wildfly/standalone/deployments/suspicious.war”.
• vmanage-appserver.log indicating deployment of unexpected WAR files.
• serviceproxy-access.log captures HTTP POST requests to malicious endpoints such as “/suspicious/index.jsp”.

These logs suggest post-exploitation activity, where attackers deploy and interact with malicious applications within the system.

Cisco clarified that this vulnerability does not directly affect SD-WAN traffic handling or connectivity.

However, compromise of the management plane could allow attackers to manipulate configurations or maintain persistent access. To address the issue, Cisco has released patched versions across multiple software branches.

Affected users are strongly advised to upgrade to fixed releases such as 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2, depending on their deployment.

Organizations are also encouraged to audit logs, restrict external access to management interfaces, and use the “request admin-tech” command to collect diagnostic data before engaging Cisco TAC for incident response support.

This vulnerability was identified during internal security testing. However, its rapid transition to active exploitation highlights the ongoing risk posed by exposed management interfaces and insufficient input validation mechanisms.

With no workaround available and active attacks underway, timely patching and continuous monitoring remain critical to reducing exposure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.