Cisco Enterprise Devices: More Critical Flaws and Active Exploitation in June 2026
Cisco products have been battered in 2026 by critical-severity, actively exploited vulnerabilities in recent months [1][2][3][4][5][6][7][8][9]. Recently exploited Catalyst SD-WAN Manager and Controller flaws include CVE-2026-20133 (CVSS 7.5, EPSS >= 95th pctl), CVE-2026-20128 (CVSS 7.8, EPSS >= 90th pctl), CVE-2026-20122 (CVSS 5.4, EPSS >= 93rd pctl), CVE-2026-20127 (CVSS 10, EPSS 99th pctl), and CVE-2026-20182 (CVSS 10, EPSS >= 99th pctl). In total, eleven Cisco vulnerabilities have appeared in CISA’s Known Exploited Vulnerabilities (KEV) catalog this year.
SD-WAN platforms are attractive to cyber adversaries because they centralize routing, policy enforcement, network visibility, and administrative control across enterprise IT environments. Repeated exploitation of SD-WAN flaws indicates that attackers are prioritizing network infrastructure targets that can support traffic manipulation [T1565.002], lateral movement [TA0008], persistence [TA0003], and broader operational impact including ransomware attacks.
Greenbone’s OPENVAS ENTERPRISE FEED has detection for all CVEs discussed in this blog post and includes a dedicated family for detecting Cisco security vulnerabilities. Here are the top new emerging threats affecting Cisco products from June 2026:
CVE-2026-20245 and CVE-2026-20262: New Flaws in Catalyst SD-WAN Actively Exploited
CVE-2026-20245: Authenticated Command Execution with Root-Level Privileges
CVE-2026-20245 (CVSS 7.8, EPSS >= 57th pctl), published on June 4, 2026, allows an authenticated local attacker with netadmin privileges to execute arbitrary commands as root on Cisco Catalyst SD-WAN Controller, Manager, and Validator. The root cause is insufficient validation of user-supplied input in uploaded files [CWE-20]. According to Mandiant, attackers used stolen credentials in tandem with CVE-2026-20245 to gain root-level access via a malicious CSV upload.
CVE-2026-20245 affects Cisco Catalyst SD-WAN Controller, Cisco Catalyst SD-WAN Manager, and Cisco Catalyst SD-WAN Validator across all deployment types, including on-premises, Cisco SD-WAN Cloud-Pro, Cisco-managed SD-WAN Cloud, and Cisco SD-WAN for Government. Cisco has released fixes in Catalyst SD-WAN releases 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2. There are no workarounds, and Cisco recommends upgrading to a fixed release after preserving logs and collecting admin-tech files for compromise review.
CVE-2026-20262: Authenticated File Creation with Attack Chain for Root-Level Compromise
CVE-2026-20262 (CVSS 6.5, EPSS >= 63rd pctl), published on June 15, 2026, allows an authenticated remote attacker with valid low-privileged write access to create or overwrite files on Cisco Catalyst SD-WAN Manager systems. The flaw is caused by improper pathname restriction during file upload [CWE-22]. Cisco confirmed limited exploitation activity in June 2026, and CISA has added CVE-2026-20262 to its KEV catalog. There is no indication of a public PoC exploit or detailed third-party technical analysis.
According to Cisco, attackers can obtain the required privileges through valid credentials or prior exploitation of CVE-2026-20182 (CVSS 10) or CVE-2026-20127 (CVSS 10), and the vendor’s official advisory describes limited cases where exploitation pushed configuration changes to edge devices. Internet-exposed Catalyst SD-WAN Manager systems are at higher risk because exploitation can upload suspicious WAR or JSP files, deploy malicious code, and potentially support follow-on activity that leads to root-level compromise.
Cisco Catalyst SD-WAN Manager was affected regardless of device configuration across on-premises, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP) deployments. Cisco fixed the issue in Catalyst SD-WAN Manager releases 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2. There are no workarounds for CVE-2026-20262, so mitigation requires upgrading to a fixed release. The OPENVAS ENTERPRISE FEED includes a remote banner check for identifying devices affected by CVE-2026-20262.
CVE-2026-20230: Unified Communications Manager Actively Exploited via Unauthenticated HTTP Requests
CVE-2026-20230 (CVSS 8.6, EPSS 42nd pctl), published on June 3, 2026, allows an unauthenticated remote attacker to exploit Cisco Unified Communications Manager and Unified CM Session Management Edition through a WebDialer server-side request forgery flaw [CWE-918]. The root cause is improper input validation of HTTP requests. Exploitation requires WebDialer to be enabled, which is disabled by default. However, successful attacks can write files to the underlying OS and support later privilege escalation to root-level.
CISA has added CVE-2026-20230 to its KEV list, making it the second known actively exploited CVE in Cisco Unified Communications Manager in 2026. Reports indicate the vulnerability is being used to drop web shells [T1505.003] for remote code execution (RCE). Public PoC exploit code and a full technical description have been released by SSD Secure Disclosure.
Cisco released fixes for Unified CM and Unified CM SME 14SU6 and 15SU5 or COP1, noted there are no workarounds, and recommends disabling WebDialer as a temporary mitigation until patching is complete. The OPENVAS ENTERPRISE FEED includes package-level detection for CVE-2026-20230.
Two Critical Flaws in Cisco ISE — One Allows Root-Level RCE
CVE-2026-20181 (CVSS 9.1, EPSS 43rd pctl) and CVE-2026-20190 (CVSS 7.5, EPSS 29th pctl), published on June 17, 2026, allow RCE, privilege escalation, denial of service (DoS), and information disclosure in Cisco Identity Services Engine and Cisco ISE Passive Identity Connector. Active exploitation has not been reported and PoC exploit code or detailed technical analysis are not yet available.
CVE-2026-20181 allows an authenticated administrator to exploit HTTP requests to gain user-level OS access and escalate to root-level privileges. CVE-2026-20190 allows an unauthenticated attacker to access sensitive information, including hashed credentials that could support follow-on attacks if those credentials can be cracked. Both flaws affect Cisco ISE and ISE-PIC regardless of device configuration. In single-node deployments, CVE-2026-20181 can make the ISE node unavailable, preventing authentication by other endpoints until the node is restored.
Cisco states that there are no workarounds for either vulnerability, so affected customers should upgrade or apply the available hot patch where applicable. See Cisco’s advisory for specific affected versions and upgrade instructions. The OPENVAS ENTERPRISE FEED includes package-level detection for both CVE-2026-20181 and CVE-2026-20190 [1][2].
Summary
Cisco faced another wave of enterprise security threats to its products in June 2026 amid an ongoing barrage. Emerging threats include new actively exploited Catalyst SD-WAN and Unified Communications Manager vulnerabilities, plus critical Cisco ISE flaws. The issues enable root-level command execution, file creation, SSRF attacks, credential exposure, and DoS, as well as potential follow-on attacks if credentials are cracked. Greenbone’s OPENVAS ENTERPRISE FEED has detection for all CVEs discussed in this blog post and includes a dedicated family for detecting Cisco security vulnerabilities. Defenders can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week trial of the OPENVAS ENTERPRISE FEED.
Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.
He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.
Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.




