LiveActive security incident?Get immediate response
CVE Record

CVE-2026-20262: Cisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerability

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does not properly validate user-supplied input during a file upload process. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root. To exploit this vulnerability, the attacker must have valid credentials with at least a lower-privileged, single-task user account.

MediumCVSS 6.5Known exploitedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

Cisco Catalyst SD-WAN Manager has an authenticated file-write flaw in its web UI. A low-privileged user could create or overwrite operating system files, potentially enabling later root escalation. Because CISA lists this CVE in KEV, treat it as actively exploited and prioritize exposed management systems.

Executive priority

Prioritize within emergency vulnerability management queues for any reachable SD-WAN Manager. Although the CVSS score is medium, active exploitation and potential root escalation on a network management platform create elevated business risk.

Technical view

The issue is improper validation of user input during file upload, mapped to CWE-22. An authenticated remote attacker can send a crafted HTTP request to an affected API endpoint and write arbitrary files on the underlying OS. CVSS is 6.5, but KEV status raises operational urgency.

Likely exposure

Organizations running Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, on affected versions are exposed if attackers can authenticate to the web UI. Risk is highest where management access is broadly reachable or low-privileged accounts are weakly controlled.

Exploitation context

CISA KEV status supports active exploitation. The source states exploitation requires valid credentials with at least a lower-privileged, single-task user account. No user interaction is required, and successful exploitation affects file integrity, with possible later root escalation.

Researcher notes

Sources do not provide exploit details or fixed-version mappings in the supplied bundle. Validation should focus on version confirmation, account exposure, management-plane reachability, and evidence of unauthorized file writes. Avoid assuming unauthenticated exposure; credentials are required per Cisco’s description.

Mitigation direction

  • Review Cisco’s advisory for fixed releases and upgrade guidance.
  • Limit SD-WAN Manager web UI access to trusted management networks.
  • Audit and restrict low-privileged and single-task user accounts.
  • Enforce strong authentication and remove unused accounts.
  • Monitor for unexpected file creation or overwrites on managers.

Validation and detection

  • Inventory Cisco Catalyst SD-WAN Manager versions against Cisco’s affected list.
  • Confirm whether CISA KEV lists CVE-2026-20262 for your program scope.
  • Review web UI and API logs for suspicious authenticated file upload activity.
  • Check filesystem integrity for unexpected new or modified files.
  • Verify remediation against Cisco’s official advisory after changes.
Prepared
Confidence
high
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-22: File access and web shell behavior lookup

File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

File access behavior lookup

The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-20262 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.5 (3.1)
Known Exploited
Yes
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
4Timeline events
1ADP providers
3Source links

CISA KEV status

Status
Known exploited
Source
CISA-ADP
Date added
KEV reference

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: activeAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.5CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N2.83.6cisco

Vulnerability scoring details

Base CVSS 3.1 score

6.5Medium
CVSS 3.1 vector shape for CVE-2026-20262Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. Added to KEVCISA-ADP

    CISA Known Exploited Vulnerabilities metadata lists this CVE as known exploited.

  3. CVE publishedCVE Program

    The CVE record was published.

  4. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvcother:kev

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
CiscoCisco Catalyst SD-WAN Manager20.1.12, 19.2.1, 18.4.4, 18.4.5, 20.1.1.1, 20.1.1, 19.3.0, 19.2.2, 19.2.099, 18.3.6, 18.3.7, 19.2.0, 18.3.8, 19.0.0, 19.1.0, 18.4.302, 18.4.303, 19.2.097, 19.2.098, 17.2.10, 18.3.6.1, 19.0.1a, 18.2.0, 18.4.3, 18.4.1, 17.2.8, 18.3.3.1, 18.4.0, 18.3.1, 17.2.6, 17.2.9, 18.3.4, 17.2.5, 18.3.1.1, 18.3.5, 18.4.0.1, 18.3.3, 17.2.7, 17.2.4, 18.3.0, 19.2.3, 18.4.501_ES, 20.3.1, 20.1.2, 19.2.929, 19.2.31, 20.3.2, 19.2.32, 20.3.2_925, 20.3.2.1, 20.3.2.1_927, 18.4.6, 20.1.2_937, 20.4.1, 20.3.2_928, 20.3.2_929, 20.4.1.0.1, 20.3.2.1_930, 19.2.4, 20.5.0.1.1, 20.4.1.1, 20.3.3, 19.2.4.0.1, 20.3.2_937, 20.3.3.1, 20.5.1, 20.1.3, 20.3.3.0.4, 20.3.3.1.2, 20.3.3.1.1, 20.4.1.2, 20.3.3.0.2, 20.4.1.1.5, 20.4.1.0.01, 20.4.1.0.02, 20.3.3.1.7, 20.3.3.1.5, 20.5.1.0.1, 20.3.3.1.10, 20.3.3.0.8, 20.4.2, 20.4.2.0.1, 20.3.4, 20.3.3.0.14, 19.2.4.0.8, 19.2.4.0.9, 20.3.4.0.1, 20.3.2.0.5, 20.6.1, 20.5.1.0.2, 20.3.3.0.17, 20.6.1.1, 20.6.0.18.3, 20.3.2.0.6, 20.6.0.18.4, 20.4.2.0.2, 20.3.3.0.16, 20.3.4.0.5, 20.6.1.0.1, 20.3.4.0.6, 20.6.2, 20.7.1EFT2, 20.3.4.0.9, 20.3.4.0.11, 20.4.2.0.4, 20.3.3.0.18, 20.7.1, 20.6.2.1, 20.3.4.1, 20.5.1.1, 20.4.2.1, 20.4.2.1.1, 20.3.4.1.1, 20.3.813, 20.3.4.0.19, 20.4.2.2.1, 20.5.1.2, 20.3.4.2, 20.3.814, 20.4.2.2, 20.6.2.2, 20.3.4.2.1, 20.7.1.1, 20.3.4.1.2, 20.6.2.2.2, 20.3.4.0.20, 20.6.2.2.3, 20.4.2.2.2, 20.3.5, 20.6.2.0.4, 20.4.2.2.3, 20.3.4.0.24, 20.6.2.2.7, 20.6.3, 20.3.4.2.2, 20.4.2.2.4, 20.7.1.0.2, 20.8.1, 20.3.5.0.8, 20.3.5.0.9, 20.4.2.2.8, 20.3.5.0.7, 20.6.3.0.7, 20.6.3.0.5, 20.6.3.0.10, 20.6.3.0.2, 20.7.2, 20.9.1EFT2, 20.6.3.0.11, 20.6.3.1, 20.6.3.0.14, 20.6.4, 20.9.1, 20.6.3.0.19, 20.6.3.0.18, 20.3.6, 20.9.1.1, 20.6.3.0.23, 20.6.4.0.4, 20.6.3.0.25, 20.6.5, 20.6.3.0.27, 20.9.2, 20.9.2.1, 20.6.3.0.29, 20.6.3.0.31, 20.6.3.0.32, 20.10.1, 20.6.3.0.33, 20.9.2.0.01, 20.9.1_LI_Images, 20.10.1_LI_Images, 20.9.2_LI_Images, 20.3.7, 20.9.3, 20.6.5.1, 20.11.1, 20.11.1_LI_Images, 20.9.3_LI_ Images, 20.6.3.1.1, 20.9.3.0.2, 20.6.5.1.2, 20.9.3.0.3, 20.4.2.3, 20.6.3.2, 20.6.4.1, 20.6.3.0.38, 20.6.3.0.39, 20.3.5.1, 20.3.4.3, 20.9.3.1, 20.3.3.2, 20.6.5.2, 20.3.7.1, 20.10.1.1, 20.6.5.2.1, 20.3.4.0.25, 20.6.2.2.4, 20.6.1.2, 20.11.1.1, 20.9.3.0.5, 20.3.4.0.26, 20.6.5.1.3, 20.6.3.0.40, 20.1.3.1, 20.9.2.2, 20.6.5.2.3, 20.6.5.1.4, 20.6.5.3, 20.6.3.0.41, 20.9.3.0.7, 20.6.5.1.5, 20.9.3.0.4, 20.6.4.0.19, 20.6.5.1.6, 20.9.3.0.8, 20.6.3.3, 20.3.7.2, 20.6.5.4, 20.6.5.1.7, 20.9.3.0.12, 20.6.4.2, 20.6.5.5, 20.9.3.2, 20.11.1.2, 20.6.3.4, 20.10.1.2, 20.6.5.1.9, 20.9.3.0.16, 20.6.3.0.45, 20.6.5.1.10, 20.9.3.0.17, 20.6.5.2.4, 20.6.4.0.21, 20.9.3.0.18, 20.6.3.0.46, 20.6.3.0.47, 20.9.2.3, 20.9.3.2_LI_Images, 20.9.3.0.21, 20.9.3.0.20, 20.9.4_LI_Images, 20.9.4, 20.6.5.1.11, 20.12.1, 20.12.1_LI_Images, 20.6.5.1.13, 20.9.3.0.23, 20.6.5.2.8, 20.9.4.1, 20.9.4.1_LI_Images, 20.9.3.0.25, 20.9.3.0.24, 20.6.5.1.14, 20.3.8, 20.6.6, 20.9.3.0.26, 20.6.3.0.51, 20.9.3.0.29, 20.12.2, 20.12.2_LI_Images, 20.6.6.0.1, 20.13.1_LI_Images, 20.9.4.0.4, 20.13.1, 20.9.4.1.1, 20.9.5, 20.9.5_LI_Images, 20.12.3_LI_Images, 20.12.3, 20.9.4.1.3, 20.6.7, 20.9.5.1, 20.9.5.1_LI_Images, 20.9.4.1.6, 20.14.1, 20.14.1_LI_Images, 20.9.5.2, 20.9.5.2.1, 20.9.5.2_LI_Images, 20.12.3.1, 20.12.4, 20.15.1_LI_Images, 20.15.1, 20.9.5.1.4, 20.9.5.2.7, 20.9.5.2.13, 20.9.6, 20.9.6_LI_Images, 20.9.5.2.14, 20.6.8, 20.12.4.0.03, 20.16.1, 20.16.1_LI_Images, 20.12.4_LI_Images, 20.9.5.2.16, 20.12.4.0.4, 20.12.401, 20.9.5.3, 20.9.5.3_LI_Images, 20.12.4.1_LI_Images, 20.12.4.1, 20.9.5.2.21, 20.9.6.0.3, 20.12.4.0.6, 20.15.2_LI_Images, 20.15.2, 20.12.4_Monthly_ES5, 20.12.5, 20.12.5_LI_Images, 20.9.7_LI _Images, 20.9.7, 20.15.3, 20.15.3_ LI _Images, 20.12.501, 20.12.5.1_LI_Images, 20.12.5.1, 20.12.5.2_LI_Images, 20.12.5.2, 20.15.3.1, 20.15.4_LI_Images, 20.15.4, 20.9.7.1_LI _Images, 20.9.7.1, 20.18.1, 20.18.1_LI_Images, 20.12.6_LI_Images, 20.12.6, 20.12.5.1.01, 26.0.1, 20.9.8, 20.9.8_LI_Images, 20.18.2, 20.15.4.1_LI_Images, 20.15.4.1, 20.18.2_LI_Images, 26.1.1, 26.1.1_LI_Images, 20.18.2.1_LI_Images, 20.18.2.1, 20.15.4.2_LI_Images, 20.15.4.2, 20.12.6.1, 20.12.6.1_LI_Images, 20.12.5.3, 20.12.5.3_LI_Images, 20.9.8.2_LI_Images, 20.9.8.2, 20.18.3, 20.18.3_LI_Images, 20.15.5, 20.15.5_LI_Images, 20.12.7, 20.12.7_LI_Images, 20.9.9, 20.9.9_LI_Images, 20.18.2.2, 20.18.2.2_LI_Images, 20.12.5.4, 20.12.5.4_LI_ Images, 20.12.7.1_LI_Images, 20.12.6.2_LI_Images, 20.12.7.1, 20.15.5.1, 20.15.4.3, 20.15.4.3_LI_Images, 20.15.5.1_LI_Images, 20.12.6.2, 20.15.5.2, 20.15.5.2_LI_Images, 26.1.1.1_LI_Images, 20.15.4.4, 20.15.4.4_LI_Images, 26.1.1.1, 20.9.9.1_LI_Images, 20.9.9.1unknown
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-22 · source CWE mapping

Improper Limitation of a Pathname to a Restricted Directory

Improper Limitation of a Pathname to a Restricted Directory represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.