Cisco SD-WAN Manager CVE-2026-20262: Patch the KEV File Write Bug

Cisco Catalyst SD-WAN Manager CVE-2026-20262 is now in CISA’s Known Exploited Vulnerabilities catalog. CISA added the issue on June 15, 2026, with a due date of June 29, 2026 for covered federal systems. Cisco describes the issue as an arbitrary file write vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage.

This matters for businesses, managed service providers, hosting networks, and distributed offices because SD-WAN Manager is a management-plane system. If a lower-privileged account can be abused on the manager, the right response is not just a software update. It is a patch window, account review, management-access review, and post-change fabric check.

This is a protect-only guide. It explains the safe update and verification path without publishing endpoint details, request examples, scanner material, or investigation recipes that would help someone target a live SD-WAN manager.

What is affected

Cisco says the vulnerability affects Cisco Catalyst SD-WAN Manager regardless of device configuration. Use Cisco’s advisory as the source of truth for your exact release train and entitlement path, because the affected-version list is long.

• Cisco Catalyst SD-WAN Manager / SD-WAN vManage deployments on affected software trains.
• Managers reachable from broad admin networks, weakly segmented jump hosts, shared admin workstations, or internet-exposed management paths.
• Deployments with stale local users, over-broad single-task accounts, automation accounts, or identity-provider groups that can reach the manager.
• MSP and hosting-provider environments where SD-WAN management affects customer connectivity, private cloud routing, backups, support access, or branch-office traffic.

Fixed release targets

Cisco’s advisory lists these first fixed releases for the major affected trains:

• 20.9 train: first fixed release 20.9.9.2
• 20.12 train: first fixed release 20.12.7.2
• 20.15.4 train: first fixed release 20.15.4.5
• 20.15.5 train: first fixed release 20.15.5.3
• 26.1 train: first fixed release 26.1.1.2

Cisco also says there are no workarounds that address this vulnerability. If you cannot update immediately, reduce management-plane exposure while you schedule the vendor-supported fixed software path.

What to do now

1. Inventory SD-WAN Manager instances. Include production, staging, disaster-recovery, lab, and customer-managed deployments.
2. Confirm the running version and release train. Match it against Cisco’s fixed-release table before choosing the maintenance path.
3. Back up before maintenance. Save manager configuration, templates, policies, certificates, controller state, and change-control evidence.
4. Restrict management access. Keep SD-WAN Manager behind trusted admin networks, VPN, bastion hosts, and MFA-backed identities. Remove direct internet exposure where it exists.
5. Apply the Cisco fixed software path. Follow the vendor-supported upgrade route for the exact train instead of improvising around the manager.
6. Review accounts and access. Check local users, single-task accounts, API users, automation accounts, identity-provider groups, emergency accounts, and stale credentials.
7. Review recent manager activity. Look for unusual administrator actions, file-management events, template changes, policy changes, and change windows that do not match your records.
8. Verify the fabric after patching. Confirm controllers, edges, tunnels, routing, segmentation, monitoring, backups, and customer or branch connectivity are normal.

Hosting and MSP notes

If SD-WAN Manager supports customer locations, office networks, data-center access, remote support, backup replication, or private cloud connectivity, plan this as management-plane maintenance. Tell affected teams what might flap, which sites are in scope, how rollback will work, and who is watching edge-device health during the change.

For MSPs, include customer-impact notes even when the patch itself is expected to be quiet. A small SD-WAN management issue can look like an application outage to the customer, so post-change checks should include expected paths, segmentation, monitoring, and documented service reachability.

Post-patch verification checklist

• SD-WAN Manager reports the expected fixed software release for its train.
• Management access is limited to trusted admin paths and MFA-backed users.
• Recent administrator activity, file-management events, templates, policies, and account changes have been reviewed.
• Controllers, edge devices, tunnels, overlays, routing, segmentation, and site connectivity are healthy.
• Monitoring, alerting, configuration backups, and change records are current after the update.
• Local users, single-task users, API users, automation accounts, break-glass accounts, and stale accounts have been reviewed or tightened.
• Customer or internal stakeholders have been told when the maintenance affects them.

Related Fix I.T. Phill reading

• Cisco SD-WAN Manager CVE-2026-20245 KEV patch guide
• Arista EOS CVE-2026-7473 KEV tunnel decapsulation patch guide
• VMware Cloud Foundation Operations VMSA-2026-0004 patch guide
• How to plan an update window without breaking the site
• How to check backups and restore points

Sources

• CISA Known Exploited Vulnerabilities catalog
• Cisco Security Advisory for CVE-2026-20262
• CVE.org record for CVE-2026-20262
• Official CVE API record for CVE-2026-20262

Need help planning an SD-WAN Manager patch window or checking whether management-plane activity looks normal? Fix I.T. Phill can help review the manager, coordinate the maintenance window, and verify the fabric afterward.