Cisco has released security patches for CVE-2026-20262, a medium-severity flaw in Catalyst SD-WAN Manager that attackers are actively exploiting in production environments. The vulnerability carries a CVSS score of 6.5 and resides in the web UI of the platform, which manages SD-WAN deployments across enterprise networks.
The flaw allows authenticated remote attackers to create files or execute operations on affected systems. While the vulnerability requires valid credentials to exploit, the active exploitation in the wild indicates that attackers either possess legitimate access or have obtained credentials through other breach activity. Catalyst SD-WAN Manager, formerly branded as SD-WAN vManage, is widely deployed in enterprise networks to centralize management of software-defined wide area networks.
Cisco classified the risk as medium rather than critical, but the combination of active exploitation and the system's role as a central management platform elevates actual risk for organisations. Compromise of SD-WAN Manager could grant attackers visibility into and control over an organisation's entire WAN architecture, potentially enabling lateral movement to connected branch offices and data centers.
Organisations running Catalyst SD-WAN Manager should prioritise patching immediately. The active exploitation confirms threat actors have working proof-of-concept code or are conducting targeted campaigns against this infrastructure. SD-WAN deployments are increasingly common in mid-market and enterprise environments as organisations migrate away from traditional MPLS networks, making this a high-value target.
Cisco has not disclosed specific details about which versions contain the flaw or the exact nature of the file creation capability. Organisations should check Cisco's security advisory for patch availability and version guidance. In the interim, network segmentation and access controls restricting access to the SD-WAN Manager interface to trusted administrative networks should be implemented.