CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 16, 2026

Cisco SD-WAN vManage Vulnerability Exploited in Zero-Day Attacks

Cybersecurity News Archived Jun 16, 2026 ✓ Full text saved

Cisco has disclosed a critical security issue in its Catalyst SD-WAN Manager (formerly vManage) that is now being actively exploited in zero-day attacks, raising concerns for enterprise network environments worldwide. The vulnerability, tracked as CVE-2026-20262, is an arbitrary-file-write flaw in the web-based management interface. It carries a CVSS score of 6.5 and stems from improper […] The post Cisco SD-WAN vManage Vulnerability Exploited in Zero-Day Attacks appeared first on Cyber Security

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCisco Cisco SD-WAN vManage Vulnerability Exploited in Zero-Day Attacks By Abinaya June 16, 2026 Cisco has disclosed a critical security issue in its Catalyst SD-WAN Manager (formerly vManage) that is now being actively exploited in zero-day attacks, raising concerns for enterprise network environments worldwide. The vulnerability, tracked as CVE-2026-20262, is an arbitrary-file-write flaw in the web-based management interface. It carries a CVSS score of 6.5 and stems from improper validation of user-supplied input during file upload operations. According to Cisco, attackers with valid credentials and write-level access can exploit this flaw to upload crafted files to targeted systems. Once exploited, the vulnerability allows an attacker to create or overwrite files anywhere on the underlying operating system. Cisco SD-WAN vManage Vulnerability This capability can be leveraged to deploy malicious payloads, including web shells, and potentially escalate privileges to root level, significantly increasing the severity of the attack. Cisco’s Product Security Incident Response Team (PSIRT) confirmed that the vulnerability has already been observed in limited real-world exploitation as of June 2026. This places the flaw in the category of zero-day vulnerabilities, where attackers can exploit it before widespread patching occurs. The issue affects all deployment models of Cisco Catalyst SD-WAN Manager, including on-premises systems, Cisco SD-WAN Cloud, Cloud-Pro, and FedRAMP environments. Notably, there are no available workarounds, making immediate patching the only effective mitigation. Security researchers highlight that internet-exposed SD-WAN management interfaces are the most at risk. Attackers can exploit exposed API endpoints by crafting HTTP requests to upload malicious files. One example includes uploading a WAR file to sensitive directories using directory traversal techniques. Cisco has provided specific Indicators of Compromise (IOCs) to help organizations detect potential exploitation. Suspicious activity may appear in log files such as: vmanage-server.log showing unauthorized file uploads, including paths like “../../../../var/lib/wildfly/standalone/deployments/suspicious.war”. vmanage-appserver.log indicating deployment of unexpected WAR files. serviceproxy-access.log captures HTTP POST requests to malicious endpoints such as “/suspicious/index.jsp”. These logs suggest post-exploitation activity, where attackers deploy and interact with malicious applications within the system. Cisco clarified that this vulnerability does not directly affect SD-WAN traffic handling or connectivity. However, compromise of the management plane could allow attackers to manipulate configurations or maintain persistent access. To address the issue, Cisco has released patched versions across multiple software branches. Affected users are strongly advised to upgrade to fixed releases such as 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2, depending on their deployment. Organizations are also encouraged to audit logs, restrict external access to management interfaces, and use the “request admin-tech” command to collect diagnostic data before engaging Cisco TAC for incident response support. This vulnerability was identified during internal security testing. However, its rapid transition to active exploitation highlights the ongoing risk posed by exposed management interfaces and insufficient input validation mechanisms. With no workaround available and active attacks underway, timely patching and continuous monitoring remain critical to reducing exposure. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News North Korea-Aligned Hackers Abuse GitHub Repositories to Infect Developers Authorities Dismantle Cryptocurrency Laundering Services ‘AudiA6’ Used by Ransomware Gangs China-Linked JDY Botnet Uses 1,500+ SOHO and IoT Devices for Rapid Vulnerability Exploitation WinRAR Vulnerability Exploited by Russian Hackers to Deploy GIFTEDCROOK Stealer Anthropic’s Claude Fable 5 Alleged Jailbreak to Generate Stack Exploits Latest News Cyber Security Microsoft Site Showing Warning Following Certificate Expiry Cyber Security News DPAPISnoop Tool Extracts CREDHIST Hashes for Offline Windows Credential Recovery Cyber Security News SHADOWBYT3$ Allegedly Claim Breach of Nintendo, Stealing Sensitive Data AI Anthropic Updated Privacy Policy to Include Identity Verification for Claude Users Cyber Security News Critical Microsoft 365 Copilot Vulnerability Allows Attackers to Steal Data in One Click
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 16, 2026
    Archived
    Jun 16, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗