COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-20262

CVE-2026-20262

Severity
high · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-06-15
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-20262
⌖ exploited in the wild shame 45/100 exploited-in-wildunpatchedsupply-chain

Cisco Catalyst SD-WAN Manager allows authenticated attackers to overwrite arbitrary files via path traversal.

This vulnerability enables file overwriting on the SD-WAN Manager filesystem, posing a significant risk to DIB organizations relying on Cisco SD-WAN for secure network management. While requiring authentication, the ability to overwrite files could facilitate privilege escalation or data exfiltration, necessitating immediate vendor patching and network segmentation. DIB orgs must verify vendor remediation timelines and restrict SD-WAN Manager access to trusted networks.

Shame score — A known path traversal vulnerability in a critical network management product that allows file overwriting, though it requires authentication and is not a zero-day.

Players implicated

Cisco Systems Inc. · vendorCatalyst SD-WAN Manager · product

Description

Cisco Catalyst SD-WAN Manager contains a directory or path traversal vulnerability that could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.

Affected FedRAMP products 9 in the catalog

ProductProviderStatusMatch
AppDynamics GovAPM AppDynamics (a Cisco company) Authorized dex-judge · 0.95
Cisco Cloudlock for Government Cisco Systems Inc. Authorized vendor-exact · 0.90
Cisco Meraki for Government Cisco Systems Inc. In Process vendor-exact · 0.90
Cisco SD-WAN for Government Cisco Systems Inc. In Process vendor-exact · 0.90
Cisco Umbrella for Government Cisco Systems Inc. In Process vendor-exact · 0.90
Cisco Unified Communications Manager Cloud for Government (Cisco UCM Cloud for Government) Cisco Systems Inc. Authorized vendor-exact · 0.90
Duo Federal Duo Security (A Cisco Company) Authorized dex-judge · 0.95
WebEx Contact Center Enterprise for Government (WxCCE-G) Cisco Systems Inc. In Process vendor-exact · 0.90
Webex for Government Cisco Systems Inc. Authorized vendor-exact · 0.90