CVE-2026-20262 | Cisco Catalyst SD-WAN Manager — Path Traversal
CVE-2026-20262 is a directory or path traversal vulnerability in Cisco Catalyst SD-WAN Manager. This class of flaw allows attackers to access files and directories outside the intended scope on the affected system, potentially exposing sensitive configuration data, credentials, or enabling further lateral movement across the SD-WAN fabric.
Affected Product: Cisco Catalyst SD-WAN Manager (formerly vManage)
Remediation Deadline (FCEB): Per BOD 26-04 requirements, federal agencies must prioritize remediation immediately.
CVE-2026-54420 | LiteSpeed cPanel Plugin — Symlink Following
CVE-2026-54420 is a UNIX symbolic link (symlink) following vulnerability in the LiteSpeed cPanel Plugin. Symlink attacks allow a local attacker to trick a privileged process into accessing or overwriting files outside its intended scope — commonly abused for privilege escalation or sensitive file read on shared hosting environments.
Affected Product: LiteSpeed cPanel Plugin
Impact: Shared hosting environments running cPanel with LiteSpeed are at elevated risk — particularly relevant given the OptinMonster CDN attack also hitting WordPress-hosted infrastructure this week.
BOD 26-04 Context
BOD 26-04 reinforces the importance of the KEV catalog and requires federal agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those identified by CVEs listed in CISA’s KEV catalog on publicly exposed assets. While BOD 26-04 applies only to FCEB agencies, CISA encourages all organizations to adopt risk-based vulnerability management and prioritize remediation of KEV catalog vulnerabilities.
TheCyberThrone Lens
This is the fifth Cisco SD-WAN KEV entry in 2026 — CVE-2026-20127, CVE-2022-20775 (Feb), CVE-2026-20133 (Apr), CVE-2026-20182 (May), CVE-2026-20245 (Jun 9), and now CVE-2026-20262 (Jun 15). CISA has essentially declared SD-WAN infrastructure a sustained active targeting zone. If your organization runs Catalyst SD-WAN and hasn’t hardened per Cisco’s SD-WAN Hardening Guide, the remediation window is closing fast.
The LiteSpeed symlink entry alongside the OptinMonster CDN attack is a pattern signal — web hosting infrastructure is under coordinated pressure this week.
