DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-20122: CVE-2026-20122: Arbitrary File Overwrite in Cisco Catalyst SD-WAN Manager API

#security #cve #cybersecurity

CVE-2026-20122: Arbitrary File Overwrite in Cisco Catalyst SD-WAN Manager API

Vulnerability ID: CVE-2026-20122
CVSS Score: 5.4
Published: 2026-02-25

A vulnerability in the API interface of Cisco Catalyst SD-WAN Manager (formerly vManage) allows an authenticated, remote attacker to overwrite arbitrary files on the underlying operating system. The flaw stems from improper input validation and insufficient privilege checks within specific API endpoints used for file ingestion. By exploiting this vulnerability, an attacker with read-only credentials can overwrite critical system files, potentially leading to privilege escalation to the 'vmanage' user context. This issue is actively being exploited in the wild, often chained with authentication bypass vulnerabilities.

TL;DR

Authenticated remote attackers with read-only permissions can overwrite arbitrary files on the Cisco SD-WAN Manager filesystem via the API. This can lead to privilege escalation. Patches are available in versions 20.9.8.2, 20.12.5.3, 20.15.4.2, and 20.18.2.1.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CVSS v3.1: 5.4 (Medium)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
  • CWE: CWE-648 (Incorrect Use of Privileged APIs)
  • EPSS Score: 0.04% (Low but rising)
  • Exploit Status: Active Exploitation Reported
  • Privilege Required: Read-Only (Low)

Affected Systems

  • Cisco Catalyst SD-WAN Manager (vManage)
  • Cisco Catalyst SD-WAN Manager: < 20.9.8.2 (Fixed in: 20.9.8.2)
  • Cisco Catalyst SD-WAN Manager: 20.11.0 - 20.12.5.2 (Fixed in: 20.12.5.3)
  • Cisco Catalyst SD-WAN Manager: 20.13.0 - 20.15.4.1 (Fixed in: 20.15.4.2)
  • Cisco Catalyst SD-WAN Manager: 20.16.0 - 20.18.2.0 (Fixed in: 20.18.2.1)

Mitigation Strategies

  • Update Software
  • Network Segmentation
  • Account Auditing

Remediation Steps:

  1. Identify the current software version of the Cisco Catalyst SD-WAN Manager.
  2. Download the appropriate fixed release from the Cisco Software Center based on the current train.
  3. For 20.9.x, upgrade to 20.9.8.2 or later.
  4. For 20.12.x, upgrade to 20.12.5.3 or later.
  5. For 20.15.x, upgrade to 20.15.4.2 or later.
  6. For 20.18.x, upgrade to 20.18.2.1 or later.
  7. Audit all existing user accounts and remove any unnecessary read-only users.

References

Read the full report for CVE-2026-20122 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)