# [CRIT] Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw **Source:** The Hacker News **Published:** 2026-06-16 **Article:** https://thehackernews.com/2026/06/cisco-releases-security-updates-for.html ## Threat Profile Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw  Ravie Lakshmanan  Jun 16, 2026 Vulnerability / Network Security Cisco has released security updates for a medium-severity security flaw in Catalyst SD-WAN Manager that has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-20262 , carries a CVSS score of 6.5 out of 10.0. "A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticat… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-20262` - **CVE:** `CVE-2026-20245` - **CVE:** `CVE-2026-20182` - **CVE:** `CVE-2026-20127` - **CVE:** `CVE-2026-20122` - **CVE:** `CVE-2026-20128` - **CVE:** `CVE-2026-20133` - **CVE:** `CVE-2022-20775` - **IPv4 (defanged):** `1.1.1.54` - **IPv4 (defanged):** `1.1.1.4` ## MITRE ATT&CK Techniques - **T1539** — Steal Web Session Cookie - **T1555.003** — Credentials from Web Browsers - **T1190** — Exploit Public-Facing Application - **T1071** — Application Layer Protocol - **T1204.002** — User Execution: Malicious File - **T1505.003** — Server Software Component: Web Shell - **T1071.001** — Application Layer Protocol: Web Protocols ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### vManage SdraAnyConnect handler writes WAR via path traversal `UC_49_4` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl search index=cisco_sdwan source="/var/log/nms/vmanage-server.log" "SdraAnyConnectFileUploadHandler" "uploaded Remote Access Anyconnect profile file" | rex field=_raw "file:\s+(?\S+)\s+to\s+vManage" | where like(uploaded_path, "%../%") OR like(uploaded_path, "%.war") OR like(uploaded_path, "%.jsp") | stats min(_time) as first_seen, count, values(uploaded_path) as paths by host | where first_seen >= relative_time(now(), "-7d@d") ``` ### Wildfly WFLYSRV0010 deploys non-baseline WAR on vManage `UC_49_5` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl search index=cisco_sdwan source="/var/log/nms/vmanage-appserver.log" "WFLYSRV0010: Deployed" | rex field=_raw "WFLYSRV0010:\s+Deployed\s+.(?\S+?\.war)" | where isnotnull(war_name) AND NOT match(war_name, "^(vmanage|configuration|olap|scheduler|statistics|sdwan).*\.war$") | stats min(_time) as first_seen, count, values(war_name) as war_files by host | where first_seen >= relative_time(now(), "-7d@d") ``` ### vManage service-proxy POST to attacker-deployed JSP webshell `UC_49_6` · phase: **c2** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl search index=cisco_sdwan source="/var/log/nms/containers/service-proxy/serviceproxy-access.log" "POST" ".jsp" | rex field=_raw "POST\s+(?/\S+\.jsp)\s+HTTP" | where isnotnull(uri_path) AND NOT match(uri_path, "^/(login|app|portal|home|static|dataservice)/") | stats min(_time) as first_seen, count, dc(src) as unique_sources, values(uri_path) as jsp_paths by host | where first_seen >= relative_time(now(), "-7d@d") ``` ### Infostealer — non-browser process accessing browser cookie/login DBs `UC_BROWSER_STEALER` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\Google\Chrome\User Data\*\Login Data*" OR Filesystem.file_path="*\Google\Chrome\User Data\*\Cookies*" OR Filesystem.file_path="*\Microsoft\Edge\User Data\*\Login Data*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\logins.json*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\cookies.sqlite*") AND NOT Filesystem.process_name IN ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") by Filesystem.dest, Filesystem.process_name, Filesystem.file_path, Filesystem.user | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName !endswith "$" | where FolderPath has_any (@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\") | where FileName in~ ("Login Data","Cookies","logins.json","cookies.sqlite") | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath, FileName, ActionType ``` ### Article-specific behavioural hunt — Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw `UC_49_3` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw ``` | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/var/log/nms/vmanage-server.log*" OR Filesystem.file_path="*/var/lib/wildfly/standalone/deployments/suspicious.war*" OR Filesystem.file_path="*/var/log/nms/vmanage-appserver.log*" OR Filesystem.file_path="*/var/log/nms/containers/service-proxy/serviceproxy-access.log*") by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql // Article-specific bespoke detection — Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/var/log/nms/vmanage-server.log", "/var/lib/wildfly/standalone/deployments/suspicious.war", "/var/log/nms/vmanage-appserver.log", "/var/log/nms/containers/service-proxy/serviceproxy-access.log")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-20262`, `CVE-2026-20245`, `CVE-2026-20182`, `CVE-2026-20127`, `CVE-2026-20122`, `CVE-2026-20128`, `CVE-2026-20133`, `CVE-2022-20775` - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `1.1.1.54`, `1.1.1.4` ## Why this matters Severity classified as **CRIT** based on: CVE present, IOCs present, 7 use case(s) fired, 7 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.