GHSA-p45r-gcc9-fr7f · Severity: medium — A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could...
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does not properly validate user-supplied input during a file upload process. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root. To exploit this vulnerability, the attacker must have valid credentials with at least a lower-privileged, single-task user account.
Conclusion & alert: CVE-2026-20262 is rated Critical Active Threat (88.8/100): CVSS Medium severity, with high exploitation likelihood (EPSS 7.68%, 94th percentile). Core evidence: CISA KEV confirms active exploitation (added 2026-06-15) affecting Cisco / Catalyst SD-WAN Manager. a weakness (CWE-22) Unauthenticated remote administrative access may be possible. EPSS rose +6.31% over the last day, indicating growing attacker interest. Mandatory action: The CISA remediation deadline has passed—treat as an emergency patch priority.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
: Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability · CISA KEV detail
: 2026-06-15
: 2026-06-29
: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-25 | 1.37% | 7.68% | +6.31% |
| 2 | 2026-06-23 | 1.15% | 1.37% | +0.23% |
| 3 | 2026-06-17 | — | 1.15% | — |
Full EPSS history (4 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.5 | 3.1 | MEDIUM |
|
2.8 | 3.6 | [email protected] |
GHSA-p45r-gcc9-fr7f · Severity: medium — A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could...
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| cisco | catalyst_sd-wan_manager | < 20.9.9.2 | cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* |
| cisco | catalyst_sd-wan_manager | >= 20.10, < 20.12.7.2 | cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* |
| cisco | catalyst_sd-wan_manager | >= 20.13, < 20.15.4.5 | cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* |
| cisco | catalyst_sd-wan_manager | >= 20.15.5, < 20.15.5.3 | cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* |
| cisco | catalyst_sd-wan_manager | >= 20.16, < 20.18.3.1 | cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* |
| cisco | catalyst_sd-wan_manager | >= 26.1, < 26.1.1.2 | cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ | Vendor Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20262 | US Government Resource |