Skip to main content

Cisco Catalyst SD-WAN Manager CVE-2026-20262

| EUVD-2026-36733 MEDIUM
Path Traversal (CWE-22)
2026-06-15 cisco GHSA-p45r-gcc9-fr7f
Path Traversal Cisco File Upload Cisco Catalyst Sd Wan Manager
6.5
CVSS 3.1 · Vendor: cisco
Share

Severity by source

Vendor (cisco) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible API requires only low-privilege credentials (PR:L); path traversal yields high integrity impact with no direct confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (cisco).

CVSS VectorVendor: cisco

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Added to CISA KEV
Jun 15, 2026 - 19:31 CISA
Analysis Generated
Jun 15, 2026 - 18:30 vuln.today
CVE Published
Jun 15, 2026 - 16:21 nvd
MEDIUM 6.5

DescriptionCVE.org

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.

This vulnerability exists because the affected software does not properly validate user-supplied input during a file upload process. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root. To exploit this vulnerability, the attacker must have valid credentials with at least a lower-privileged, single-task user account.

Articles & Coverage 1

POC CVE-2026-20262: Proof-of-Concept Exploit Published (Details Pending) Jun 16, 2026

AnalysisAI

Arbitrary file write via path traversal in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticated low-privileged attacker to create or overwrite any file on the underlying operating system by sending crafted HTTP requests to affected API endpoints. The vulnerability stems from insufficient validation of user-supplied input during the file upload process (CWE-22), and a successful exploit can serve as a reliable stepping stone to root-level privilege escalation on the management host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege SD-WAN Manager credentials
Delivery
Authenticate to web UI and identify file upload API endpoint
Exploit
Send crafted HTTP POST with path traversal sequences in filename or path parameter
Execution
Overwrite OS-level file (e.g., cron job, authorized_keys, or sudoers entry)
Persist
Trigger execution of written payload
Impact
Achieve root-level access on SD-WAN Manager host
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires possession of valid Cisco Catalyst SD-WAN Manager credentials at a minimum of the 'lower-privileged, single-task' role - this is the lowest defined access tier in the platform, not administrator access, meaning any authenticated user is a potential threat actor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N yields a 6.5 Medium score, which underrepresents the true operational risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has acquired a low-privileged single-task account on Cisco Catalyst SD-WAN Manager - obtained through credential phishing, password spraying against exposed management interfaces, or insider access - authenticates to the web UI and submits a crafted HTTP POST request to the file upload API endpoint with path traversal sequences embedded in the filename or destination path parameter (e.g., '../../var/spool/cron/root'). The server writes attacker-controlled content - a reverse shell cron entry or malicious SSH public key - directly to the OS filesystem, which is subsequently executed with root-level privileges, granting the attacker full control of the SD-WAN Manager host and the ability to manipulate SD-WAN policy across the entire managed network. …
Remediation Apply the vendor-supplied patch by consulting the Cisco Security Advisory cisco-sa-sdwan-arbfw-c2rZvQ at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ for specific fixed release versions; a confirmed fixed version number was not available in the provided intelligence data and must not be assumed. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-20262 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy