CISA Adds Two Known Exploited Vulnerabilities to Catalog (CVE-2026-20262, CVE-2026-54420)
CISA has added two actively exploited vulnerabilities, CVE-2026-20262 affecting Cisco Catalyst SD-WAN Manager and CVE-2026-54420 affecting the LiteSpeed cPanel Plugin, to its Known Exploited Vulnerabilities (KEV) catalog. Organizations are urged to prioritize remediation of these flaws, particularly on publicly exposed assets, and to investigate for potential pre-patch compromise in alignment with risk-based vulnerability management practices outlined in BOD 26-04.
Detection / HunterGoogle
What Happened
CISA has warned that two software vulnerabilities are currently being used by attackers in the real world. The affected software includes Cisco Catalyst SD-WAN Manager and the LiteSpeed cPanel Plugin. Because these flaws are actively being exploited, they pose a significant risk to organizations using these products, potentially allowing attackers to gain control of the systems. Administrators should immediately apply the latest security updates and check for signs of unauthorized access to protect their environments.
Key Takeaways
- CISA added CVE-2026-20262 (Cisco Catalyst SD-WAN Manager) and CVE-2026-54420 (LiteSpeed cPanel Plugin) to the Known Exploited Vulnerabilities (KEV) catalog.
- Both vulnerabilities have evidence of active exploitation in the wild.
- Federal Civilian Executive Branch (FCEB) agencies are required to prioritize rapid remediation of these flaws on publicly exposed assets per BOD 26-04.
- Organizations are expected to check whether threat actors compromised the system before patches are applied.
Affected Systems
- Cisco Catalyst SD-WAN Manager
- LiteSpeed cPanel Plugin
Vulnerabilities (CVEs)
- CVE-2026-20262
- CVE-2026-54420
Attack Chain
While the specific attack chain is not detailed in the alert, threat actors are actively exploiting a directory/path traversal vulnerability in Cisco Catalyst SD-WAN Manager (CVE-2026-20262) and a symlink following vulnerability in the LiteSpeed cPanel Plugin (CVE-2026-54420). Exploitation of these vulnerability classes typically allows attackers to bypass access controls, read unauthorized sensitive files, or execute arbitrary code, potentially leading to total asset control post-exploitation.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the alert.
Detection Engineering Assessment
EDR Visibility: Low — Cisco SD-WAN Manager is a network appliance where standard EDR deployment is typically not supported. LiteSpeed cPanel servers may have EDR, but symlink exploitation can often blend with legitimate administrative or web server tasks. Network Visibility: Medium — Path traversal attacks against web interfaces (such as Cisco SD-WAN) can often be detected via WAF or network IDS/IPS inspecting HTTP traffic for anomalous URI patterns. Detection Difficulty: Moderate — Detecting path traversal and symlink abuse requires baseline knowledge of normal application behavior, robust web access logging, and file integrity monitoring.
Required Log Sources
- Web Server Access Logs
- WAF Logs
- Linux Auditd (for cPanel)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for anomalous HTTP requests containing path traversal sequences (e.g., '../', '%2e%2e%2f') targeting the Cisco Catalyst SD-WAN Manager web interface. | WAF Logs, Web Server Access Logs | Initial Access | Low |
| If you have visibility into cPanel server file systems, consider hunting for unexpected symbolic links created in web-accessible directories pointing to sensitive system files like /etc/passwd. | File System Monitoring, Linux Auditd | Privilege Escalation | Medium |
Control Gaps
- Lack of WAF inspection on internal or management interfaces
- Insufficient file integrity monitoring on web hosting servers
Key Behavioral Indicators
- HTTP requests with directory traversal characters
- Creation of symlinks to sensitive system files by web server processes
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Identify all instances of Cisco Catalyst SD-WAN Manager and LiteSpeed cPanel Plugin in your environment.
- Apply vendor-supplied patches or mitigations for CVE-2026-20262 and CVE-2026-54420 immediately, prioritizing publicly exposed assets.
- Evaluate systems for signs of compromise that may have occurred prior to patching, as mandated by BOD 26-04 guidelines.
Infrastructure Hardening
- Ensure management interfaces for network appliances like Cisco SD-WAN are not exposed to the public internet.
- Evaluate whether Web Application Firewalls (WAF) are actively inspecting traffic to critical administrative portals.
User Protection
- If applicable, restrict access to cPanel and SD-WAN management interfaces to authorized administrators via VPN or zero-trust network access.
Security Awareness
- Consider incorporating risk-based vulnerability management principles into your organization's patching policies, prioritizing actively exploited flaws listed in the KEV catalog.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
