Cisco SD-WAN Logs Its Seventh Zero-Day of 2026. CISA Deadlines Are Piling Up.

The Pattern Is the Story

Cisco's Catalyst SD-WAN platform has now accumulated seven confirmed zero-day vulnerabilities exploited in the wild during 2026. Not seven vulnerabilities discovered. Seven actively exploited, confirmed by Cisco, added to CISA's Known Exploited Vulnerabilities catalog, with federal remediation deadlines set and — in several cases — already passed.

The latest, CVE-2026-20245, allows an authenticated attacker with netadmin privileges to execute arbitrary commands as root by uploading a maliciously crafted file. CISA added it to the KEV catalog on June 9 with a June 23 remediation deadline. That deadline arrived on Monday. CVE-2026-20262, a Catalyst SD-WAN Manager path traversal vulnerability, was added the same week with a June 29 deadline. Mandiant's analysis revealed that one exploit chain involved a malicious CSV file that opened a root shell — a mundane file format weaponized against critical network infrastructure.

What Makes This Different

Individual zero-days happen. What is happening to Cisco SD-WAN in 2026 is qualitatively different. CISA issued a joint advisory in February with international partners about the 'ongoing global exploitation of Cisco SD-WAN systems.' That was after the third zero-day. We are now at seven. The advisory used the word 'ongoing' — meaning CISA expected more to follow. They were right.

The attack surface compounds. Each zero-day that hits SD-WAN infrastructure does not just add one more entry to a vulnerability database. It signals to attackers that this platform rewards continued research. The discovery-to-exploitation timeline is collapsing: CVE-2026-20262 was exploited for months before Cisco even issued a patch. Defenders are running remediation sprints on a product that keeps producing new zero-days faster than they can patch the old ones.

The Enterprise Network Is the Web's Foundation

This is why WebPulse tracks network infrastructure security alongside web framework vulnerabilities. A Next.js application with zero CVEs running on a network where the SD-WAN controller has been rooted is not secure. The framework score is irrelevant if the network layer is compromised. Cisco SD-WAN's 2026 vulnerability trajectory is a reminder that web security extends far below the application layer.

The ISE Parallel

Cisco's Identity Services Engine (ISE) is running a parallel vulnerability track. CVE-2026-20181 and CVE-2026-20190 are remote code execution vulnerabilities in ISE that allow unauthenticated attackers to execute arbitrary commands. ISE controls network access policies — who can connect to what. If the SD-WAN controls where traffic goes, ISE controls who is allowed to generate that traffic. Both layers are under active attack simultaneously.

The Unified Communications Manager is also affected. CVE-2026-20230, added to CISA KEV on June 25, is an SSRF vulnerability that enables unauthenticated remote file writes and root escalation. Cisco's enterprise infrastructure stack — networking, identity, and communications — is facing a coordinated exploitation campaign across multiple product lines.

What This Means for Decision Makers

Seven zero-days in six months in a single product line changes the risk calculus. This is no longer a patching problem. Organisations running Cisco SD-WAN need to evaluate whether the platform's architectural exposure has crossed a threshold where patching alone is insufficient and architectural alternatives — network segmentation independent of SD-WAN, zero-trust overlays, alternative SD-WAN vendors — need to be on the table.