## Overview
CISA added CVE-2026-20262 to the KEV catalog on June 15, 2026, triggering a 14-day federal patching deadline. The vulnerability affects Cisco Catalyst SD-WAN Manager's web UI. Attackers require a single-task user account with valid credentials. CISA listed it due to active exploitation against government networks.
## Technical Details
The flaw stems from improper input validation during file uploads. Attackers send crafted HTTP requests to the API endpoint. The software fails to sanitize paths, enabling directory traversal. This allows writing files to any filesystem location, including critical directories like /etc or /bin.
## Impact
Exploitation lets attackers overwrite or create any file on the system. This leads to root access and full system compromise. Attackers deploy malicious files for persistence or privilege escalation. CISA confirmed exploitation in the wild, making it a high-risk threat.
## Mitigation
Apply Cisco's security update immediately. Restrict web UI access to internal networks using firewalls. Disable unused user accounts with web UI privileges. Monitor logs for unusual file upload requests. Implement multi-factor authentication for management interfaces. Federal agencies must complete patching within 14 days to comply with CISA requirements.
CSURFACE Threat Sensor