The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities catalog after confirming both are being used in real-world attacks. One sits in Cisco's Catalyst SD-WAN Manager, the console that administers software-defined networks across large enterprises; the other is in a LiteSpeed plugin commonly deployed on cPanel web hosting servers.
The Known Exploited Vulnerabilities (KEV) catalog is CISA's running list of flaws that attackers are actively abusing. Under Binding Operational Directive 26-04, which updates the earlier BOD 22-01, federal civilian agencies must prioritize fixing KEV-listed bugs on internet-facing systems that would hand an attacker full control. CISA urges every other organization to treat the list the same way.
What's affected
- CVE-2026-20262 is a directory (path) traversal flaw in Cisco Catalyst SD-WAN Manager. Path traversal lets an attacker reach files outside the folder an application is meant to expose, which can leak sensitive data or aid a deeper compromise.
- CVE-2026-54420 is a symbolic-link (symlink) following flaw in the LiteSpeed plugin for cPanel. Symlink-following bugs can be abused to make a privileged process read or write files it should never touch, a classic route to escalating access on shared hosting.
CISA did not publish exploitation specifics, attacker identities, or victim counts, which is standard for KEV entries. The listing itself is the signal: both bugs are being exploited now.
Why this matters
Cisco's SD-WAN Manager has become a recurring target. IntelFusions has previously reported on active exploitation of a separate Catalyst SD-WAN zero-day used to plant webshells, so defenders running this platform should treat any new SD-WAN Manager flaw as high priority. The LiteSpeed cPanel bug is lower-profile but hits web hosting providers, where a single compromised server can expose many customer sites at once.
What you should do
Apply the vendor updates for both products as soon as possible. Federal civilian agencies face a hard remediation deadline under BOD 26-04, but the same urgency applies to anyone running Catalyst SD-WAN Manager or LiteSpeed on cPanel. If you cannot patch immediately, restrict management interfaces to trusted networks and review logs for unexpected file access on the affected systems.
The two additions were published in CISA's June 15 alert.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.