This document describes steps to identify and address critical security vulnerabilities in SD-WAN based on PSIRT advisories dated June 4 and 15, 2026.
Cisco recommends that you have knowledge of these topics:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
For detailed background information and the latest updates, refer to the official PSIRT advisory page.
These advisories are available at these links:
These defects are addressed by these PSIRT advisories:
These advisories describe two vulnerabilities in Cisco Catalyst SD-WAN. The first (CVE-2026-20245) is a privilege-escalation vulnerability in SD-WAN control components that requires netadmin privileges to exploit. The second (CVE-2026-20262) is an arbitrary file write vulnerability in SD-WAN Manager (vManage) that allows an authenticated user to create or overwrite any file on the filesystem of an affected system.
For both CVE-2026-20245 and CVE-2026-20262, the known paths for an unauthenticated remote attacker to obtain the required credentials are exploitation of CVE-2026-20182 (cisco-sa-sdwan-rpa2-v69WY2SW) or CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk). CVE-2026-20245 requires netadmin privileges to exploit, while CVE-2026-20262 requires at least a lower-privileged single-task user account.
If your control components have been upgraded to a fixed release for both of those advisories, and Cisco did not identify any potential indicators of compromise (IoCs) in the admin-tech files you provided for the prior events, then the known unauthenticated exploitation paths for both CVE-2026-20245 and CVE-2026-20262 are mitigated on those specific devices, based on the files reviewed. This does not eliminate exposure where an attacker holds valid credentials. Cisco recommends you upgrade to a fixed release for both advisories.
Required Action:Open a Cisco TAC case to address these security advisories.
TAC is available to:
Required: Collect admin-tech files from all control components before any upgrade or configuration change so that diagnostic data and any potential indicators of compromise (IoCs) are preserved. These files are used by TAC in Step 3 to analyze your environment.
Collection: For admin-tech generation, select Log and Tech options. Core is not required.
Collect an Admin-Tech in an SD-WAN Environment and Upload to a TAC Case
Note: TAC analyzes these files to assess your environment for indicators of compromise related to both advisories. For the privilege escalation advisory, the analysis focuses on a specific log entry in /var/log/scripts.log that does not distinguish between legitimate and malicious use; manual review by TAC is required. For the arbitrary file write advisory, the analysis focuses on entries in /var/log/nms/vmanage-server.log; these entries can also occur during standard operations and must be assessed against normal operational posture to avoid false positives.
If you cannot share admin-tech files, a manual verification step is available. This step provides a preliminary indicator that must be documented and shared with TAC.
See the Manual Verification Steps section at the end of this document for a detailed procedure. Document all findings and provide them to TAC in your support case.
After collecting admin-techs in Step 1, open a Cisco TAC support case and upload the admin-tech files collected. TAC analyzes the admin-techs for indicators of compromise associated with both advisories (CVE-2026-20245 and CVE-2026-20262).
Required Actions:
cisco-sa-sdwan-privesc-4uxFrdzx and cisco-sa-sdwan-arbfw-c2rZvQ in the title to initiate the analysis.
Note: Cisco has released software fixes for these vulnerabilities on all release trains at this time, but no workarounds are available. The TAC analysis in Step 3 helps determine whether any indicators of compromise are present in the admin-tech files you provided. Upgrade to a fixed software version and adhere to TAC guidance regarding any other necessary next steps.
TAC performs a preliminary analysis of the admin-tech files you uploaded in Step 2 and assesses them for indicators of compromise associated with both advisories (CVE-2026-20245 and CVE-2026-20262).
For advisory CVE-2026-20245, the analysis is focused on a specific log entry in /var/log/scripts.log on each control component (vManage, vSmart, and vBond). Because the underlying command is legitimate and the log does not distinguish between legitimate and malicious use, any matching entries require manual review by TAC against your normal operational posture before being treated as a confirmed indicator.
For advisory CVE-2026-20262, the analysis is focused on several files in the /var/log/nms directory of each Manager (vManage). In some instances, these indicators of compromise can occur during standard operations.
These logs do not distinguish between legitimate and malicious use; therefore, any matching entries require manual review by TAC against your normal operational posture before being treated as a confirmed indicator.
Possible outcomes of the TAC analysis:
Note: Per the CVE-2026-20245 advisory, exploitation requires netadmin privileges, while CVE-2026-20262 requires at least a lower-privileged single-task user account. An unauthenticated attacker can obtain those credentials through valid credentials or exploitation of CVE-2026-20182 or CVE-2026-20127. If your control components have been upgraded to a fixed release for both of those advisories and no indicators of compromise were identified for the prior events, the known unauthenticated exploitation paths for both CVE-2026-20245 and CVE-2026-20262 are mitigated on those specific devices, based on the files reviewed.
If TAC identifies indicators of compromise associated with these advisories in your environment, TAC contacts you with specific guidance. Complete all instructions provided by TAC.
If no indicators of compromise are identified for either advisory, no further action specific to the compromise assessment is required at this time, based on the admin-tech files reviewed. Upgrading to a fixed release for both advisories is still strongly recommended.
These software releases contain fixes for the identified vulnerabilities:
| Applies to Current Versions | Fixed Version | Available Software |
|---|---|---|
| 20.9.9.1 and earlier | 20.9.9.2 | 20.9.9.2 upgrade images for vManage, vSmart and vBond |
| 20.12.7.1 and earlier | 20.12.7.2 | 20.12.7.2 upgrade images for vManage, vSmart, and vBond |
| 20.15.4.4 and earlier | 20.15.4.5 | 20.15.4.5 upgrade images for vManage, vSmart, and vBond |
| 20.15.5.2 and earlier | 20.15.5.3 | 20.15.5.3 upgrade images for vManage, vSmart, and vBond |
| 20.16, 20.17, 20.18.x | 20.18.3.1 | 20.18.3.1 upgrade images for vManage, vSmart, and vBond |
| 26.1 | 26.1.1.2 | 26.1.1.2 upgrade images for vManage, vSmart, and vBond |
Important References:
At the conclusion of a successful remediation, and based on your specific security assurance requirements, Cisco recommends that you evaluate and act on the hygiene activities listed here. These activities apply regardless of which remediation option is selected. They are user-managed; Cisco does not direct or perform them on your behalf.
Cisco does not recommend a particular remediation path; the selection of a remediation option rests with each customer.
Note: Where compromise of an edge device is suspected, a factory reset and re-onboarding of the affected edge device(s) is a customer-managed action to take into account when making your selection. The decision whether to pursue this approach, and which option to select, rests with each customer.
The proper command to perform a secure factory reset is:
factory-reset all secure
Note: Admin-tech collection is the preferred method. Only use the manual verification step shown here if admin-tech files cannot be collected and shared with TAC. The result of this manual step is preliminary; document findings and share them with TAC, who performs the official assessment.
Note: For both advisories, the manual verification consists of targeted log checks. The log entries targeted by these checks are generated by legitimate commands and activity, and the logs alone do not distinguish between legitimate and malicious use. Any matching entry must be reviewed against your normal operational posture before being treated as a potential indicator. If a matching entry cannot be reconciled with normal operations, document the finding and share it with TAC.
scripts.log on each control component for File Upload EntriesPer the PSIRT advisory, users are encouraged to audit log files for entries similar to this example. On release 20.9 and later, this entry is found in scripts.log at /var/log/. On releases prior to 20.9, the equivalent data is found in vdebug logs at /var/log/tmplog/:
Apr 15 09:44:57 vmanage vScript: Tenant list upload per vsmart serial number: /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0
Step 1: Access vshell on each control component and search the appropriate log files for CVE-2026-20245 indicators
The log file location depends on the software release running on the control component. Determine which applies to your environment before running the search.
Release 20.9 and later — Search scripts.log in the /var/log/tmplog/:
From the vManage CLI, drop into vshell and run:
vs
zgrep "vconfd_script_upload_tenant_list.sh" /var/log/scripts.log*
Releases prior to 20.9 — Search vdebug logs in /var/log/tmplog/:
On releases prior to 20.9, scripts.log is not present. The equivalent log data is written to /var/log/tmplog/vdebug. Up to five rolling numbered files are retained (vdebug, vdebug.1 through vdebug.5). Search all active files with:
vs
zgrep "vconfd_script_upload_tenant_list.sh" /var/log/tmplog/vdebug*
In addition to the active files, older logs are archived as compressed tar files in /var/log/ using the naming pattern vdebug_<timestamp>.tar.gz, with the log data stored inside the archive at var/log/tmplog. Search all archives with:
for f in /var/log/vdebug_*.tar.gz; do echo "=== $f ==="; tar -xOf "$f" var/log/tmplog 2>/dev/null | grep "vconfd_script_upload_tenant_list.sh"; done
Repeat all applicable checks on each control component in the deployment (including all cluster members and any DR-paired vManage).
Step 2: Interpret Results and Document for TAC
If NO matching entries are returned:
If matching entries are returned:
-cli path.Per the PSIRT advisory, users are encouraged to audit these log files on each Manager (vManage) for entries similar to these examples:
Example suspicious entry in vmanage-server.log (located at /var/log/nms/)
11-June-2026 03:53:37,310 EDT INFO [a66cdc5f-807d-4c23-944e-5c809a2ece6b] [server] [SdraAnyConnectFileUploadHandler] (default task-40704) |default| uploaded Remote Access Anyconnect profile file: ../../../../var/lib/wildfly/standalone/deployments/suspicious.war to vManage.
Example suspicious entry in vmanage-appserver.log (located at /var/log/nms/)
11-June-2026 07:52:55,275 UTC INFO [server] (DeploymentScanner-threads - 2) WFLYSRV0010: Deployed "suspicious.war" (runtime-name : "suspicious.war")
Example suspicious entry in serviceproxy-access.log (located at /var/log/nms/containers/service-proxy/)
POST /suspicious/index.jsp HTTP/1.1
Note: On releases prior to 20.9, serviceproxy-access.log is located at /var/log/nms/ rather than /var/log/nms/containers/service-proxy/.
Step 1: Access vshell on each Manager (vManage) and search the log files
From the vManage CLI, drop into vshell and run :
vs
zgrep "SdraAnyConnectFileUploadHandler" /var/log/nms/vmanage-server.log*
zgrep "WFLYSRV0010" /var/log/nms/vmanage-appserver.log*
On some releases, the service-proxy log is accessible directly from vshell. On releases where root shell access is required, download the admin-tech and search the serviceproxy-access.log files within it in the same way using a command similar to:
Release 20.9 and later:
tar -xOf <admin-tech-filename>.tar.gz var/log/nms/containers/service-proxy/serviceproxy-access.log 2>/dev/null | grep "suspicious"
Releases prior to 20.9:
tar -xOf <admin-tech-filename>.tar.gz var/log/nms/serverproxy-access.log 2>/dev/null | grep "suspicious"
If accessing directly from vshell, use the .war filename identified from the results of the previous two commands (without the extension) in place of suspicious:
Release 20.9 and later:
zgrep "POST" /var/log/nms/containers/service-proxy/serviceproxy-access.log* | grep "suspicious"
Releases prior to 20.9:
zgrep "POST" /var/log/nms/serverproxy-access.log* | grep "suspicious"
Repeat the check on every vManage in the deployment (including all cluster members and any DR-paired vManage).
Step 2: Interpret Results and Document for TAC
If NO matching entries are returned:
If matching entries are returned:
vmanage-server.log, capture the timestamp, the full log line, and the file path referenced in the upload handler.Q: What is the first step to address these security advisories?
A: Collect admin-tech files from all control components (vSmart, vManage, vBond) before any upgrade or configuration change to preserve diagnostic data and any potential indicators of compromise. Then open a Cisco TAC case and upload the admin-techs so TAC can analyze them.
Q: Has Cisco released a software fix for these vulnerabilities?
A: Yes, fixed releases are available for both advisories, as listed in the Fixed Software Versions section. There are no workarounds.
Q: Why does Cisco recommend taking action beyond upgrading?
A: Exploitation of these vulnerabilities requires an authenticated user. An unauthenticated attacker can obtain those credentials only through valid credentials or through exploitation of CVE-2026-20182 or CVE-2026-20127. Ensuring control components are upgraded to the fixed releases for those prior advisories addresses the known unauthenticated paths to obtaining the privileges required to exploit these vulnerabilities. The admin-tech analysis in Step 3 helps determine whether any indicators of compromise are present in the files reviewed.
Q: Do I need to collect admin-techs from all control components?
A: Yes. TAC requires admin-tech files from all Controllers (vSmart, collected one at a time), all Managers (vManage), and all Validators (vBond) to perform the analysis.
Q: How does TAC determine if my system has indicators of compromise associated with these advisories?
A: TAC reviews the admin-tech files for indicators of compromise specific to each advisory. For the privilege escalation advisory (CVE-2026-20245), TAC looks for specific log entries in /var/log/scripts.log on each control component. For the arbitrary file write advisory (CVE-2026-20262), TAC looks for specific log entries across three log files on each Manager: /var/log/nms/vmanage-server.log, /var/log/nms/vmanage-appserver.log, and /var/log/nms/containers/service-proxy/serviceproxy-access.log. In both cases, the underlying activity can occur during standard operations; any matching entries are reviewed by TAC against your normal operational posture before being treated as a confirmed indicator.
Q: What happens if indicators of compromise are identified?
A: TAC contacts you with specific guidance. The upgrade alone does not resolve a confirmed compromise. TAC’s guidance is based on the flow documented in the related TechZone articles for the May 2026 and February 2026 advisories.
Q: Are edge routers (Cisco IOS XE) affected by these advisories?
A: These advisories primarily affect Cisco Catalyst SD-WAN control components. For the privilege escalation advisory (CVE-2026-20245), all control components (vManage, vSmart, vBond) are affected, and Cisco has observed limited cases where exploitation resulted in a configuration change being pushed to edge devices; users are encouraged to verify the configuration of their edge devices. For the arbitrary file write advisory (CVE-2026-20262), the vulnerability is confined to the SD-WAN Manager filesystem and does not directly affect edge devices.
Q: Which deployment types are affected?
A: Per these advisories, these vulnerabilities affect all Cisco Catalyst SD-WAN deployment types regardless of device configuration, including On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).
Q: I have already upgraded for the May 2026 and February 2026 advisories and no indicators of compromise were identified for those events. Am I exposed to these new vulnerabilities?
A: If your control components are running a fixed release for both CVE-2026-20182 and CVE-2026-20127 and no indicators of compromise were identified for those prior events in the admin-tech files reviewed, the known unauthenticated exploitation paths for both CVE-2026-20245 and CVE-2026-20262 are mitigated on those specific devices, based on the files reviewed. This does not eliminate exposure where an attacker holds valid credentials. Cisco recommends you upgrade to a fixed release for these advisories.
Q: Can I perform the verification myself instead of waiting for TAC?
A: Users who cannot share admin-techs can perform the manual verification step described in the Appendix. The result is preliminary; document findings and share them with TAC, who performs the official assessment.
Q: What are the general best practices for hardening my SD-WAN overlay?
A: Refer to the Cisco Catalyst SD-WAN Hardening Guide for best practices.
Q: Does Cisco TAC provide forensic analysis or investigation services for these vulnerabilities?
A: Cisco TAC can assist users by reviewing admin-tech files for the indicators of compromise documented in both PSIRT advisories. Cisco TAC does not perform in-depth forensic analysis or incident investigations. For comprehensive forensic work or detailed security investigations, users are encouraged to engage their preferred third-party Incident Response (IR) firm.
| Revision | Publish Date | Comments |
|---|---|---|
8.0 |
22-Jun-2026
|
Verification Steps updated for release prior to 20.9 |
7.0 |
16-Jun-2026
|
Appendix update to include additional information |
6.0 |
16-Jun-2026
|
Information added for CVE-2026-20262 |
5.0 |
12-Jun-2026
|
Fixed software releases added. |
4.0 |
11-Jun-2026
|
26.1.1.2 image released |
3.0 |
10-Jun-2026
|
Added Fixed Version 20.18.3.1 |
2.0 |
05-Jun-2026
|
Documentation Update |
1.0 |
05-Jun-2026
|
Initial Release |