Cisco on Monday warned customers about yet another SD-WAN product zero-day exploited in attacks.
The flaw, tracked as CVE-2026-20262, has been described as a medium-severity arbitrary file write issue affecting Catalyst SD-WAN Manager.
An attacker can send specially crafted HTTP requests to an affected API endpoint to create or overwrite any file on the underlying operating system.
“This file could later be used to elevate to root,” Cisco explained, adding, “To exploit this vulnerability, the attacker must have valid credentials with at least write access.”
Cisco said it discovered the vulnerability internally and became aware of its exploitation in June 2026.
It’s unclear whether CVE-2026-20262 has been chained with other vulnerabilities or whether the attackers abused compromised credentials.
There does not appear to be any public information about attacks exploiting the new zero-day, and it’s unclear who is behind them.
Cisco did mention that CVE-2026-20262 has been exploited in limited attacks, which suggests a highly-targeted operation by a sophisticated — possibly state-sponsored — threat actor.
CISA added CVE-2026-20262 to its Known Exploited Vulnerabilities (KEV) catalog on Monday, instructing federal agencies to address it by June 29.
This is the eighth Cisco SD-WAN vulnerability whose exploitation was detected in 2026. The list also includes CVE-2026-20182, CVE-2026-20127, CVE-2026-20128, CVE-2026-20122, CVE-2026-20133, CVE-2022-20775, and CVE-2026-20245.
CVE-2026-20245 was disclosed by Cisco on June 4 as a zero-day, but it took nearly a week for the company to start releasing patches.
Related: Ivanti Sentry Exploitation Attempts Hitting Honeypots
Related: Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters
Related: Hackers Exploit Langflow Vulnerability for Remote Code Execution
