← All articles

Cisco patches exploited SD-WAN Manager flaw that gives root access

Cisco has patched a flaw in Catalyst SD-WAN Manager (formerly vManage), the console used to manage thousands of SD-WAN devices, that attackers were already exploiting as a zero-day to gain root. The bug (CVE-2026-20262) stems from weak validation of file uploads in the web interface, letting an authenticated low-privilege remote attacker create or overwrite any file on the system by sending crafted HTTP requests, and from there run commands as root. It affects every deployment type, including on-premises, Cisco-managed cloud, and the FedRAMP government edition, regardless of configuration. It is the latest in a run of exploited Cisco SD-WAN Manager zero-days this year.

Check
Identify Catalyst SD-WAN Manager instances and versions, and before upgrading run the request admin-tech command on each control component to preserve evidence, then review file-upload and web UI logs.
Affected
Cisco Catalyst SD-WAN Manager (formerly vManage) across all deployment types, including on-premises, Cloud-Pro, Cisco-managed cloud, and the FedRAMP government edition (CVE-2026-20262), regardless of device configuration.
Fix
Upgrade to the fixed Catalyst SD-WAN Manager release now, restrict management-interface access to trusted administrators and networks, and audit for unauthorized files or configuration changes pushed to edge devices.