Read, Watch or Listen

San Jose, California-based Cisco has released an emergency security update to fix a critical zero-day vulnerability in its Catalyst SD-WAN Manager, formerly known as vManage, which the company confirms is being actively exploited in the wild. Tracked as CVE-2026-20262, the flaw stems from a critical weakness in the file upload process that allows unauthenticated or low-privileged attackers to send a crafted HTTP request to an API endpoint and write arbitrary files directly to the appliance’s underlying filesystem. By overwriting key system files, a remote attacker can escalate privileges to root, bypass standard authentication controls, and potentially seize full control of the network management system, posing a severe risk to corporate and government networks. The vulnerability affects all supported deployment models, including on-premises installations, Cisco SD-WAN Cloud-Pro, Cisco-managed cloud environments, and FedRAMP-certified versions used to manage sensitive U.S. government communications and data. Cisco has released patches for multiple software versions, including Release 20.9.9.1, 20.12.7.1, 20.15.4.4, 20.15.5.2, and 20.18.3, and urges network administrators to apply the fixes immediately because no workarounds are available. Security agencies have elevated the flaw to a top-priority issue and advise organizations using the affected SD-WAN Manager to review network logs for unauthorized file modifications or suspicious API activity that could indicate compromise.

Prepared by Jonathan Pierce and reviewed by editorial team.