CISA ADDS TWO ACTIVELY EXPLOITED VULNERABILITIES TO KNOWN EXPLOITED VULNERABILITIES CATALOG

Threat Summary

Category: Vulnerability Alert
Affected Technology: Cisco Catalyst SD-WAN Manager, LiteSpeed cPanel Plugin
Primary Risk: Unauthorized Access Through Path Traversal and Symlink Exploitation
Exploitation Status: Active Exploitation Confirmed
Target Environment: Federal Civilian Executive Branch Agencies, Organizations Utilizing Affected Products
Operational Impact: Potential Unauthorized Access and Security Impact
Threat Surface: Exposed Cisco Catalyst SD-WAN Manager and LiteSpeed cPanel Plugin Installations

CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The newly added vulnerabilities are CVE-2026-20262, affecting Cisco Catalyst SD-WAN Manager and labeled by CISA as a Directory or Path Traversal Vulnerability, and CVE-2026-54420, affecting the LiteSpeed cPanel Plugin and labeled as a UNIX Symbolic Link (Symlink) Following Vulnerability. Cisco’s own advisory describes CVE-2026-20262 as a flaw that can allow an authenticated remote attacker to create or overwrite arbitrary files on an affected system, so organizations should follow both CISA’s alert language and the vendor’s technical guidance when assessing risk and remediation. According to CISA, these types of vulnerabilities remain a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise. Their inclusion in the KEV Catalog indicates that exploitation activity has been observed and validated, making them higher-priority remediation items for affected organizations

Vulnerability Breakdown

CVE-2026-20262 affects Cisco Catalyst SD-WAN Manager and is classified as a directory or path traversal vulnerability.

CVE-2026-54420 affects the LiteSpeed cPanel Plugin and is classified as a UNIX symbolic link (symlink) following vulnerability.

CISA has not provided additional technical details regarding observed exploitation activity within the alert. The agency’s inclusion of both vulnerabilities in the KEV Catalog serves as confirmation that active exploitation has occurred.

Infrastructure at Risk

• Cisco Catalyst SD-WAN Manager deployments
• LiteSpeed cPanel Plugin deployments
• Federal Civilian Executive Branch environments utilizing affected products
• Organizations operating affected Cisco technologies
• Organizations operating affected LiteSpeed technologies

Threat Activity

The KEV Catalog is maintained by CISA to identify vulnerabilities for which there is evidence of active exploitation.

Threat actors frequently target vulnerabilities that provide opportunities to gain unauthorized access to systems and resources. Once a vulnerability is added to the KEV Catalog, organizations are encouraged to prioritize remediation efforts due to the elevated risk associated with active exploitation.

CISA continues to add vulnerabilities to the catalog when they meet established criteria, including the existence of a CVE identifier, evidence of exploitation, and available mitigation guidance.

Policy / Allied Pressure

The additions fall under Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk, which updated previous federal vulnerability management requirements established under BOD 22-01.

According to CISA, BOD 26-04 requires Federal Civilian Executive Branch agencies to prioritize remediation of high-risk vulnerabilities listed in the KEV Catalog, particularly vulnerabilities affecting publicly exposed assets that could grant substantial control of a system following successful exploitation.

The directive also establishes expectations for agencies to determine whether systems were compromised before remediation efforts were completed.

While BOD 26-04 applies specifically to federal agencies, CISA encourages all organizations to adopt risk-based vulnerability management practices and prioritize remediation of vulnerabilities included within the KEV Catalog.

Vendor Defense / Reliance

Organizations utilizing affected Cisco or LiteSpeed products should:

• Identify affected systems
• Review available vendor security advisories
• Apply available patches and mitigations
• Prioritize remediation efforts
• Review systems for indicators of compromise
• Assess exposed assets for potential exploitation
• Monitor affected environments for suspicious activity
• Validate system security following remediation

Forecast — 30 Days

• Continued remediation efforts across federal agencies
• Increased attention on affected Cisco and LiteSpeed deployments
• Additional organizational reviews of exposed assets
• Ongoing monitoring for exploitation activity
• Continued prioritization of KEV-listed vulnerabilities

TRJ Verdict

The addition of CVE-2026-20262 and CVE-2026-54420 to CISA’s Known Exploited Vulnerabilities Catalog confirms that both vulnerabilities have moved beyond theoretical security concerns and into active exploitation.

Organizations utilizing affected Cisco Catalyst SD-WAN Manager and LiteSpeed cPanel Plugin deployments should prioritize remediation efforts and evaluate systems for evidence of compromise. For security teams, the active exploitation designation is the most important factor, as it indicates that threat actors are already leveraging these vulnerabilities against real-world targets.

🔥 NOW AVAILABLE! 🔥

‎👉 Eclipsera – Apple Music

Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE

AVAILABLE