Cisco SD-WAN Manager Flaw: Medium Severity, Real Exploitation

Cisco has released security updates for an actively exploited vulnerability in Catalyst SD-WAN Manager, formerly known as SD-WAN vManage.
The flaw, CVE-2026-20262, has a CVSS score of 6.5, so on paper it sits in the “medium” category. However, “medium” becomes a lot more interesting when attackers are already exploiting it.
The vulnerability exists in the web interface and stems from poor validation during a file upload process. An authenticated remote attacker with at least write access could send crafted HTTP requests to an affected API endpoint and create or overwrite files on the underlying system.

Cisco says this could be weaponised to elevate privileges to root. That makes it particularly serious in environments where SD-WAN Manager is a critical control point for network infrastructure.
The affected deployments include Catalyst SD-WAN Manager on-premises, Cisco SD-WAN Cloud-Pro, Cisco-managed SD-WAN Cloud and SD-WAN for Government. Cisco has issued patched releases across affected branches.

Cisco also provided indicators of compromise, including suspicious WAR file uploads in /var/log/nms/vmanage-server.log and deployment activity in related application logs. Customers should patch, review logs and investigate any suspicious uploads or unexpected access.

The lesson here is simple: do not rely solely on CVSS severity. If a vulnerability is actively exploited and touches network management infrastructure, it deserves urgent attention.
“Medium” is not always medium when it is already in the wild.