CVE-2026-20262

Cisco Catalyst SD-WAN Manager Path Traversal Exploitation

Initial Access Discovery Credential Access Last updated:

Detects exploitation attempts targeting CVE-2026-20262, a path traversal vulnerability (CWE-22) in Cisco Catalyst SD-WAN Manager. Active exploitation has been confirmed by CISA KEV. Attackers can traverse directory boundaries via crafted HTTP requests to access sensitive files outside the web root, potentially exposing credentials, configuration data, or enabling further compromise of the SD-WAN management plane.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Cisco
Product
Catalyst SD-WAN Manager

Weakness (CWE)

CWE-22

Timeline

Disclosed
June 15, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-20262 Cisco Catalyst SD-WAN Manager Path Traversal Exploitation?

Cisco Catalyst SD-WAN Manager Path Traversal Exploitation (CVE-2026-20262) maps to the Initial Access and Discovery and Credential Access tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Cisco Catalyst SD-WAN Manager Path Traversal Exploitation, covering the data sources and telemetry it touches: CommonSecurityLog, W3CIISLog, Syslog. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Discovery Credential Access
Microsoft Sentinel / Defender
kusto 
union CommonSecurityLog, W3CIISLog
| where TimeGenerated >= ago(24h)
| where RequestURL has_any ("../", "..%2f", "..%2F", "%2e%2e%2f", "%2e%2e/", "..%5c", "%2e%2e%5c")
| where RequestURL has_any ("/dataservice/", "/management/", "/template/", "/config/")
| extend TraversalDepth = array_length(extract_all(@"(\.\./|\.\.\/|%2e%2e%2f|%2e%2e/)", RequestURL))
| where TraversalDepth >= 1
| extend TargetPath = extract(@"(?:\.\./|%2e%2e%2f|%2e%2e/)+([^?#]+)", 1, RequestURL)
| where TargetPath has_any ("etc/passwd", "etc/shadow", "etc/hosts", "proc/", "var/log", "home/", ".ssh", "authorized_keys", "id_rsa", "config", "credentials")
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, TargetPath, TraversalDepth, RequestMethod, ResponseCode, DeviceVendor, DeviceProduct
| order by TimeGenerated desc

Detects HTTP requests to Cisco SD-WAN Manager containing path traversal sequences targeting sensitive system files. Covers URL-encoded and double-encoded traversal patterns against known SD-WAN API endpoints.

critical severity high confidence

Data Sources

CommonSecurityLog W3CIISLog Syslog

Required Tables

CommonSecurityLog W3CIISLog

False Positives

  • Legitimate security scanners (Qualys, Tenable, Rapid7) performing vulnerability assessments against SD-WAN Manager
  • Penetration testing activities with authorized scope covering SD-WAN infrastructure
  • Web application firewalls logging blocked traversal attempts that never reached the application
  • URL monitoring tools that encode paths in ways that resemble traversal sequences

Sigma rule & cross-platform mapping

The detection logic for Cisco Catalyst SD-WAN Manager Path Traversal Exploitation (CVE-2026-20262) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-20262 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-20262

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Basic Path Traversal File Read via SD-WAN Manager API

    Expected signal: Web server access log entry with URI containing '../../../../etc/passwd', HTTP response code 200 or 400/403 depending on patch status, source IP of test host

  2. Test 2URL-Encoded Path Traversal Against SD-WAN Template API

    Expected signal: Access log entry with raw URI containing %2e%2e%2f sequences targeting /template/ endpoint, HTTP response code logged by web server before or after URL normalization

  3. Test 3Double-Encoded Traversal Bypass Attempt

    Expected signal: Access log entry with double-encoded URI; if the server double-decodes the URL, a subsequent audit log event showing /etc/passwd file access at the OS level

  4. Test 4Traversal to SD-WAN Configuration File for Credential Harvesting

    Expected signal: Multiple HTTP requests in quick succession with traversal sequences targeting vmanage configuration paths; response sizes indicating file content if successful

Unlock Pro Content

Get the full detection package for CVE-2026-20262 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0007DiscoveryTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1552.001Credentials In FilesT1133External Remote Services

Same Tactic: Initial Access

Popular Detections