Cisco has confirmed that CVE-2026-20262, a vulnerability in the Cisco Catalyst SD-WAN Manager, is being actively exploited in targeted attacks. The CVSS score is 6.5. That number is going to mislead a lot of patch prioritization queues, and that is the problem worth discussing.
What the vulnerability does
CVE-2026-20262 is an arbitrary file write vulnerability in the Cisco Catalyst SD-WAN Manager web interface. The root cause is improper validation of user-supplied input during file uploads. An authenticated attacker with a low-privilege account can craft HTTP requests that write or overwrite arbitrary files on the underlying operating system. From there, privilege escalation to root is achievable. Cisco PSIRT describes observed exploitation as limited and highly targeted.
This is the eighth Cisco SD-WAN Manager vulnerability to be flagged as actively exploited in 2026. CISA added it to the Known Exploited Vulnerabilities catalog with an FCEB remediation deadline of June 29, 2026.
The CVSS problem
CVSS 6.5 is classified as medium severity. In many organizations, that puts it below the automatic patching threshold. Teams running a risk-based vulnerability management program might deprioritize it behind a backlog of critical and high findings. This is the trap.
CVSS measures the characteristics of a vulnerability in isolation: attack vector, complexity, privileges required, user interaction, and impact. It does not measure exploitability in the wild, attacker interest in the target class, or the downstream consequences of compromise. A CVSS 6.5 arbitrary file write on a network management platform that controls SD-WAN routing across an enterprise is operationally far more dangerous than the score suggests, because the blast radius of a compromised SD-WAN manager extends to every device it manages.
Eight exploited SD-WAN flaws in one year
The UAT-8616 threat actor (Cisco Talos attribution, state-linked) has been systematically chaining Cisco Catalyst SD-WAN vulnerabilities since early 2026: CVE-2026-20127, then CVE-2026-20182 (CVSS 10.0), then CVE-2026-20245. CVE-2026-20262 is not attributed to UAT-8616 by Cisco; a different sophisticated actor is suggested. But the pattern is consistent: Cisco SD-WAN Manager is a high-value target class, and threat actors have invested in learning its vulnerability surface.
Eight vulnerabilities exploited in six months in a single product is not bad luck. It reflects either a concentrated research effort by well-resourced actors, or a codebase with systemic quality issues in its authentication and input validation logic. Both possibilities warrant treating Cisco SD-WAN Manager as a high-priority patching target regardless of individual CVE scores.
What to do
Apply Cisco's patches immediately. FCEB agencies must remediate by June 29, 2026; enterprise organizations should treat this at the same urgency. Restrict SD-WAN Manager web interface access to trusted management networks. Audit which accounts have authenticated access to the manager interface, and eliminate any low-privilege accounts that are not operationally required. Review whether SD-WAN Manager logs show unexpected file upload activity.
The larger lesson: for network infrastructure management platforms, CVSS score should be one input into patch prioritization, not the decision. The question to ask is not what is the score, but what does a successful attack enable. When the answer is root access to a system that manages all your WAN routing, the score stops mattering.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to discuss vulnerability prioritization strategy or SD-WAN security architecture.