SB2026061606 - Authenticated file upload in Cisco Catalyst SD-WAN Manager

Description

This security bulletin contains information about 1 vulnerability.

1) Path traversal (CVE-ID: CVE-2026-20262)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:A/U:Amber

The vulnerability allows a remote user to create or overwrite arbitrary files on the filesystem.

The vulnerability exists due to path traversal in the web UI file upload process when handling file upload requests to an affected API endpoint. A remote user can send a crafted HTTP request to create or overwrite arbitrary files on the filesystem.

A created or overwritten file could later be used to elevate privileges to root.

Note, the vulnerability is being actively exploited in the wild.

Remediation

Install update from vendor's website.

References

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ
• https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwu18441