Second Cisco SD-WAN Zero-Day Hits CISA KEV in Two Weeks

CISA added a second Cisco Catalyst SD-WAN Manager vulnerability to its Known Exploited Vulnerabilities catalog on June 15, 2026—just two weeks after adding the first. CVE-2026-20262, a path traversal flaw with a CVSS score of 6.5, allows authenticated attackers to write arbitrary files and escalate to root.

Federal civilian agencies face a June 29, 2026 remediation deadline.

Exploitation Details

The vulnerability stems from insufficient validation of user input in the SD-WAN Manager's web interface API endpoints. According to Help Net Security, attackers with valid credentials and at least write access can send crafted HTTP requests to create or overwrite any file on the underlying operating system.

In observed attacks, threat actors deployed malicious .war files that the WildFly Java application server executed as web applications. They then interacted with these implants via POST requests to establish persistent access and escalate privileges to root.

This makes CVE-2026-20262 the second actively exploited SD-WAN vulnerability in rapid succession. We covered the first—CVE-2026-20245—when Cisco acknowledged limited exploitation resulting in configuration changes pushed to edge devices. That vulnerability carries a CVSS 7.8 rating and enables arbitrary command execution as root via crafted file uploads.

Affected Deployments

Both vulnerabilities affect all Cisco Catalyst SD-WAN Manager deployment types:

• On-premises installations
• Cloud-Pro deployments
• Cloud (Cisco Managed)
• Government (FedRAMP)

The widespread footprint means enterprises across sectors are potentially exposed. Organizations running SD-WAN infrastructure should treat patching as urgent—attackers are clearly aware of these flaws and actively hunting for vulnerable instances.

Detection Indicators

Cisco's advisory recommends reviewing logs for specific patterns that indicate exploitation attempts. Security teams should look for unusual .war file deployments to the WildFly application server and unexpected POST requests to newly created application endpoints.

The Security Affairs analysis noted the patch for CVE-2026-20262 is identical to the fix for CVE-2026-20245, suggesting both flaws share a common root cause in input validation routines.

Recommended Actions

1. Patch immediately to the latest Catalyst SD-WAN Manager release (patched versions available since June 15)
2. Audit authentication and remove unnecessary write-access accounts
3. Review WildFly deployments for unexpected .war files or applications
4. Monitor API traffic for crafted path traversal sequences in HTTP requests
5. Check edge device configurations for unauthorized changes

For organizations unable to patch immediately, restricting access to the SD-WAN Manager web interface to trusted networks provides some risk reduction. However, given confirmed exploitation, patching should take priority over workarounds.

The back-to-back SD-WAN vulnerabilities highlight the growing attacker focus on network management platforms. These systems control traffic routing and policy enforcement across distributed networks—compromising them gives attackers both visibility into network architecture and the ability to manipulate traffic flows.