Cisco Catalyst SD-WAN Manager Arbitrary File Write to Root Escalation Under Active Exploitation (CVE-2026-20262)

Scope: Cisco Catalyst SD-WAN Manager (On-Premises, Cloud-Pro, Cisco Managed Cloud, and FedRAMP Deployments)

Severity: Red

CISA added CVE-2026-20262 to its Known Exploited Vulnerabilities catalog on June 16, 2026, marking the eighth confirmed Cisco SD-WAN exploitation in 2026 in what Cisco describes as limited, targeted attacks by a sophisticated threat actor. The flaw allows an authenticated attacker with basic write credentials to send a crafted HTTP request to an affected API endpoint and create or overwrite arbitrary files on the underlying OS, which can then be used to escalate privileges to root and seize complete control of the SD-WAN Manager, the centralized platform that controls routing, security policies, and traffic flows across potentially thousands of edge devices. Organizations must upgrade immediately to fixed releases 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2, audit logs for suspicious index.jsp and .war file upload attempts as exploitation indicators, rotate all admin credentials, and enforce MFA on all SD-WAN Manager accounts. FCEB agencies must remediate by June 29, 2026 per BOD 26-04.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.