Cisco disclosed CVE-2026-20262, an unauthenticated server-side request forgery (SSRF) vulnerability in Cisco SD-WAN Manager, as CISA added the flaw to its Known Exploited Vulnerabilities catalog on June 16 with a 13-day remediation deadline for federal agencies. CVE-2026-20262 is the eighth Cisco SD-WAN Manager vulnerability confirmed as actively exploited in 2026 — a count with no parallel in any other single enterprise product line from any vendor this year.
CVE-2026-20262: Unauthenticated SSRF in SD-WAN Manager
CVE-2026-20262 is a server-side request forgery vulnerability in the Cisco SD-WAN Manager web interface. An unauthenticated remote attacker can send crafted HTTP requests that cause the appliance to make outbound connections to internal or external hosts on behalf of the attacker — without supplying any valid credentials.
In observed exploitation, threat actors have used the SSRF to probe internal network segments not otherwise reachable from the internet, reach internal administrative APIs on SD-WAN controller infrastructure, and in one confirmed case extract AWS instance metadata credentials from the appliance’s cloud-hosted management node. Stealing instance metadata credentials gives the attacker access to cloud resources attached to the management node’s IAM role, extending the compromise beyond the SD-WAN appliance itself.
No Authentication Required: Why This Widens the Attacker Pool
CVE-2026-20262 requires no valid credentials. Any attacker who can reach the SD-WAN Manager web interface over the network can attempt exploitation. This is a broader attack surface than a flaw requiring low-privilege authentication: it is exploitable without any prior foothold in the victim’s environment, directly from the internet against any internet-exposed SD-WAN Manager instance.
No workaround is available. Cisco’s advisory recommends immediate patching and, for organizations that cannot patch immediately, restricting management-plane access to SD-WAN Manager to trusted administrative IP ranges via access control lists.
FedRAMP Scope and the June 29 Federal Deadline
CISA’s KEV addition carries a BOD 22-01 remediation deadline of June 29 for all Federal Civilian Executive Branch (FCEB) agencies — a 13-day window reflecting the urgency of confirmed active exploitation. The deadline applies to all FCEB agencies, but confirmed exploitation of an unauthenticated SSRF enabling cloud credential theft warrants immediate action regardless of federal obligations.
Eight Exploited Cisco SD-WAN Vulnerabilities in 2026: A Pattern of Deliberate Targeting
CVE-2026-20262 is the eighth Cisco SD-WAN Manager vulnerability confirmed as actively exploited in 2026. SecurityWeek notes that five of the eight zero-days were discovered by external security researchers and two were identified through active exploitation before Cisco was notified.
This is not a coincidence of disclosure timing — it is evidence that threat actors have identified Cisco SD-WAN Manager as a high-value, frequently vulnerable target and have organized sustained exploitation campaigns against it. Each unpatched SD-WAN Manager instance is operating against a well-documented exploitation history, with an attacker community that has demonstrated repeated capability and willingness to exploit the product.
What the Pattern Means for Network Defenders
Organizations running Cisco SD-WAN Manager and delaying patch deployment are not operating a low-attention target. The ongoing cadence of exploited zero-days in this product line through 2026 indicates that threat actors are actively hunting the SD-WAN Manager attack surface and will continue to do so.
Prior published coverage noted a seventh Cisco SD-WAN zero-day earlier in June. CVE-2026-20262 is a distinct and separate vulnerability, addressed in SD-WAN Manager release 20.12.4 and 21.1.1.
Apply Patches in SD-WAN Manager Release 20.12.4 or 21.1.1
Organizations running Cisco SD-WAN Manager should apply the patches released in versions 20.12.4 and 21.1.1 immediately. Organizations that cannot patch immediately should restrict management-plane access to trusted ACLs as an interim measure. The FCEB deadline of June 29 applies to all federal agencies, but given confirmed active exploitation, any delay in patching or access restriction creates ongoing risk.
