CVE-2026-20122

MediumCISA KEVActive Exploitation

Published: 25 February 2026

Published

25 February 2026

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS Score 0.0112 78.4th percentile

Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on…

the affected system. This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates API inputs to prevent malicious file uploads that exploit improper file handling in Cisco Catalyst SD-WAN Manager.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations to block read-only credential holders from overwriting arbitrary files on the local file system.

AC-6 Least Privilege good match

prevent

Implements least privilege to ensure read-only API access lacks permissions for file modification and privilege escalation.

Security SummaryAI

CVE-2026-20122 is a vulnerability in the API of Cisco Catalyst SD-WAN Manager that stems from improper file handling on the API interface. An authenticated, remote attacker with valid read-only credentials and API access could exploit this issue to overwrite arbitrary files on the local file system of the affected system.

To exploit the vulnerability, an attacker must possess valid read-only credentials granting API access to the Cisco Catalyst SD-WAN Manager. By uploading a malicious file via the API, the attacker can overwrite arbitrary files, potentially gaining vmanage user privileges. The CVSS v3.1 base score is 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N), associated with CWE-648.

Mitigation details are available in the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20122.

Details

CWE(s): CWE-648
KEV Date Added: See CISA KEV catalog

Affected Products

cisco

catalyst sd-wan manager

20.12.6 · ≤ 20.9.8.2 · 20.10 — 20.12.5.3 · 20.13 — 20.15.4.2

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability allows authenticated remote attackers to overwrite arbitrary files via the API, enabling privilege escalation to vmanage user privileges, directly mapping to Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
Vendor Advisory · psirt@cisco.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20122
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0