RSS

Cisco SD-WAN Manager arbitrary file write (CVE-2026-20262) – CISA KEV

slvnx2 pts0 comments

CVE-2026-20262: Cisco Catalyst SD-WAN Manager Path Traversal — Find Exposed Instances — RECON Blog

Professional network intelligence for the field. 18 instrument modules — ping, traceroute, DNS, port scan, WHOIS, TLS, LAN sweep, throughput — in one tactical iOS workspace.

Designed for security/IR teams, military NetOps, network engineers and sysadmins.

JUNE 15, 2026CVSS 6.5 · MEDIUM · ACTIVELY EXPLOITED5 MIN READ<br>CVE-2026-20262: Cisco Catalyst SD-WAN Manager Path Traversal — How to Find Exposed Instances<br>Cisco Catalyst SD-WAN Manager (formerly vManage) contains a path traversal vulnerability that lets authenticated remote attackers create or overwrite arbitrary files on the filesystem. CVSS 6.5, CISA KEV listed. Cisco reports limited exploitation and notes that successful exploitation could enable privilege escalation to root. Here's how to find SD-WAN Manager instances on your network.<br>The Vulnerability<br>CVE-2026-20262 (CWE-22: Path Traversal) is a vulnerability in the web UI of Cisco Catalyst SD-WAN Manager. Improper input validation during file upload operations allows an authenticated attacker to traverse directory paths and write files anywhere on the filesystem — including overwriting critical system files. Cisco states that successful exploitation could enable privilege escalation to root.<br>CVSS: 6.5 Medium (v3.1) — AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N — cisco-sa-sdwan-arbfw-c2rZvQ<br>CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)<br>AFFECTED: Cisco Catalyst SD-WAN Manager 20.9.9.1 and earlier, 20.12.7.1 and earlier, 20.15.4.4 and earlier, 20.15.5.2 and earlier, 20.18.3, 26.1.1.1 and earlier<br>FIXED: 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2<br>EXPLOITED: Cisco reports limited exploitation — CISA KEV listed June 15, 2026<br>WORKAROUNDS: None available

Although the CVSS base score is 6.5 (Medium), the CISA KEV listing and confirmed exploitation elevate the urgency. The vulnerability requires only low-privilege credentials — a single-task user account is sufficient. Combined with the ability to write arbitrary files as the application user, attackers can overwrite configuration files, plant backdoors, or escalate to root. No workarounds exist — patching is the only mitigation.<br>What Is Cisco Catalyst SD-WAN Manager?<br>Cisco Catalyst SD-WAN Manager (formerly Cisco SD-WAN vManage) is the centralized management plane for Cisco's SD-WAN fabric. It provides configuration management, monitoring, and policy orchestration for all SD-WAN edge devices across an organization's WAN. It's deployed as a virtual machine or on dedicated hardware in enterprise data centers — available as On-Prem, Cloud-Pro, Cloud Managed, and FedRAMP Government editions. Compromising SD-WAN Manager gives an attacker control over the entire WAN routing fabric, including the ability to redirect traffic, modify security policies, and pivot to branch offices.<br>All Deployment Types Affected<br>Cisco confirms that all deployment types are vulnerable: On-Prem, Cloud-Pro, Cloud Managed, and FedRAMP Government. This means both self-hosted and Cisco-hosted deployments need attention. Organizations running the FedRAMP Government edition should treat this with particular urgency given the CISA KEV listing.<br>Investigation Workflow<br>SD-WAN Manager instances are typically not internet-facing — they sit in management networks behind the WAN edge. But internal attackers or compromised hosts with low-privilege credentials can exploit this. Here's how to locate every SD-WAN Manager instance on your network.<br>1. Port Scan: Find SD-WAN Manager Instances<br>Cisco Catalyst SD-WAN Manager exposes several network services. Scan your management subnets for these ports:<br>• 8443 — Web UI (primary management interface — where the vulnerability lives)<br>• 443 — Web UI (alternative HTTPS port in some deployments)<br>• 8040 — SD-WAN control plane (NETCONF/YANG)<br>• 830 — NETCONF SSH<br>• 6379 — Internal Redis (cluster deployments)<br>Port 8443 is the primary target — it hosts the web UI with the vulnerable file upload functionality.<br>2. TLS Inspect: Identify Cisco Certificates<br>Pull the TLS certificate on port 8443. SD-WAN Manager instances typically present certificates with identifying characteristics:<br>• Subject or issuer containing Cisco, vManage, or SDWAN<br>• Organization fields referencing Cisco Systems<br>• Self-signed certificates with vManage in the CN (common in lab and initial deployments)<br>3. HTTP Headers: Fingerprint the Web UI<br>The SD-WAN Manager web UI has distinct HTTP fingerprints. Probe port 8443 and look for:<br>• Login page at / or /#/login with "Cisco SD-WAN" or "Cisco Catalyst SD-WAN" branding<br>• Server header indicating the application server<br>• Response body containing vManage, SD-WAN, or Cisco Catalyst<br>• API endpoints under /dataservice/ — the REST API prefix used by SD-WAN Manager<br>4. DNS: Discover SD-WAN Infrastructure<br>Query internal DNS for common SD-WAN Manager naming patterns: vmanage-*, sdwan-*, sdwan-mgr-*, catalyst-sdwan-*, wan-mgr-*....

cisco manager catalyst instances port vmanage

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.