Published Tuesday, June 16, 2026 at 04:40 AM PT

🚨 BREAKING: Cisco Catalyst SD-WAN Manager Zero-Day Actively Exploited β€” Patch Immediately

BLUF: Cisco has patched CVE-2026-20262, a zero-day vulnerability in Catalyst SD-WAN Manager that enables arbitrary file write and is confirmed to be actively exploited in the wild. Organizations running Cisco Catalyst SD-WAN Manager must apply available patches without delay.

DETAILS

  • CVE-2026-20262 affects Cisco Catalyst SD-WAN Manager and permits arbitrary file write, which can enable attackers to modify system files, plant malicious content, or potentially achieve code execution depending on file targets and permissions.
  • Cisco confirmed it became aware of active exploitation in the wild prior to or concurrent with patch release β€” classifying this as a true zero-day at time of discovery.
  • Cisco has released security updates addressing this vulnerability; patches are confirmed available per corroborating reporting from The Hacker News.
  • This is described as “another” SD-WAN zero-day, indicating this product line has been subject to repeated targeting β€” suggesting sustained adversary interest in Cisco SD-WAN infrastructure.
  • Attribution, threat actor identity, and attack scale are unconfirmed at this time. No specific campaign or actor has been publicly linked to exploitation of this CVE.

IMPACT

  • Directly affected: Organizations running Cisco Catalyst SD-WAN Manager in any deployment (on-premises, cloud-managed, hybrid).
  • Scope: SD-WAN infrastructure is typically network-critical; compromise of the Manager component can provide attackers with broad visibility into or control over enterprise WAN topology.
  • Severity of arbitrary file write: Exploitation primitives of this class frequently serve as stepping stones to persistence, privilege escalation, or lateral movement across managed network segments.
  • Breadth unknown: Number of affected organizations and confirmed victim count have not been disclosed publicly.
  1. Apply Cisco’s security updates immediately β€” consult Cisco’s official Security Advisory for affected versions and patch availability.
  2. Audit SD-WAN Manager access logs for anomalous file system activity, unexpected configuration changes, or unauthorized access attempts.
  3. Restrict management plane exposure β€” ensure SD-WAN Manager is not internet-facing; enforce allowlisted IP access where possible.
  4. Verify file integrity on SD-WAN Manager hosts to identify potential indicators of prior exploitation.
  5. Monitor Cisco PSIRT for updated indicators of compromise (IOCs) as investigation matures.

SOURCES

  • SecurityWeek: Cisco Patches Another SD-WAN Zero-Day Exploited in Attacks
  • The Hacker News: Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw
  • Cisco PSIRT advisory (consult directly at tools.cisco.com/security/center)

⚠️ UNCERTAINTY FLAG: Threat actor identity, exploitation scale, and full technical impact chain are unconfirmed. This alert will require update as Cisco and third-party researchers publish additional findings.