CVE-2026-20122
Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability - [Actively Exploited]
Description
A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system. This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.
INFO
Published Date :
Feb. 25, 2026, 5:25 p.m.
Last Modified :
April 21, 2026, 11:59 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.
Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
Unknown
CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems ; https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v ; https://nvd.nist.gov/vuln/detail/CVE-2026-20122
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | [email protected] | ||||
| CVSS 3.1 | MEDIUM | [email protected] |
Solution
- Update Cisco Catalyst SD-WAN Manager software.
- Apply security patches provided by the vendor.
- Restrict API access to trusted sources.
- Monitor for unauthorized file modifications.
Public PoC/Exploit Available at Github
CVE-2026-20122 has a 3 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-20122.
| URL | Resource |
|---|---|
| https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v | Vendor Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20122 | US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-20122 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-20122
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Go HTML JavaScript CSS TypeScript
None
Shell
None
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-20122 vulnerability anywhere in the article.
-
The Register
More Cisco SD-WAN bugs battered in attacks
America's lead cyber-defense agency has warned that three Cisco Catalyst SD-WAN Manager bugs are under attack, and given federal agencies just four days to patch the security holes. The US Cybersecuri ... Read more
-
TheCyberThrone
CISA Adds Eight Actively Exploited Vulnerabilities to KEV Catalog
CISA expanded its Known Exploited Vulnerabilities (KEV) catalog on April 20, 2026, adding eight security flaws spanning enterprise print management, CI/CD platforms, CMS infrastructure, appliance mana ... Read more
-
CybersecurityNews
CISA Warns of Cisco Catalyst SD-WAN Manager Vulnerabilities Exploited in Attacks
CISA has added three critical Cisco Catalyst SD-WAN Manager vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies and organizations to act immediately. All thre ... Read more
-
Daily CyberSecurity
MOVEit WAF Critical Alert: Multi-Level RCE and WAF Bypass Vulnerabilities Disclosed
Progress Software has released a critical security bulletin for April 2026, revealing five high-impact vulnerabilities affecting MOVEit WAF and related Application Delivery Controller (ADC) products. ... Read more
-
Help Net Security
CISA flags another Cisco Catalyst SD-WAN Manager bug as exploited (CVE-2026-20133)
CISA added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including a Cisco Catalyst SD-WAN Manager vulnerability (CVE-2026-20133) that Cisco has yet to flag as exploi ... Read more
-
Daily CyberSecurity
Nexcorium Botnet Turns Unpatched DVRs into DDoS Foot Soldiers
Security researchers at FortiGuard Labs have uncovered a sophisticated campaign deploying Nexcorium, a multi-architecture Mirai variant that turns unpatched digital video recorders (DVRs) into foot so ... Read more
-
The Cyber Express
CISA Adds 8 Exploited Vulnerabilities Affecting Cisco, Zimbra, TeamCity
The Cybersecurity and Infrastructure Security Agency (CISA) have expanded its Known Exploited Vulnerabilities, commonly referred to as the KEV catalog, with eight newly identified security flaws that ... Read more
-
The Hacker News
CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including three flaws impacting Cisco C ... Read more
-
Daily CyberSecurity
CISA Warns of Active Exploitation in Cisco, PaperCut, and Zimbra
The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog, adding eight high-impact flaws. The update comes following confirmed evidenc ... Read more
-
Daily CyberSecurity
Progress Kemp LoadMaster Alert: Multiple RCE and WAF Bypass Flaws Patched
The Progress Kemp LoadMaster team has confirmed a significant security event involving five high-severity vulnerabilities affecting its application delivery controllers. These flaws, which impact both ... Read more
-
Daily CyberSecurity
ASUSTOR Issues Critical Patch: Command Injection Vulnerability Threatens ADM Users
ASUSTOR has issued an urgent security advisory regarding a high-severity command injection vulnerability impacting its ASUSTOR Data Master (ADM) operating system. Identified as CVE-2026-6644, this fla ... Read more
-
Daily CyberSecurity
ZionSiphon: The “Defanged” Malware Aiming for the Water Supply
A new and highly specialized malware threat has emerged in the industrial cybersecurity landscape, signaling a targeted effort to disrupt critical infrastructure. Security researchers from Darktrace r ... Read more
-
Daily CyberSecurity
Under Active Attack: Critical 9.1 CVSS FortiClient EMS Flaw Exploited in the Wild
Security teams are on high alert as Fortinet confirms that a critical vulnerability in its FortiClient EMS (Endpoint Management Server) is currently being leveraged by attackers in active campaigns. T ... Read more
-
Help Net Security
Week in review: Weaponized OAuth redirection logic delivers malware, Patch Tuesday forecast
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: BlacksmithAI: Open-source AI-powered penetration testing framework BlacksmithAI is an open-source pene ... Read more
-
TheCyberThrone
Cisco Catalyst SD-WAN — Active Exploitation Alert
March 7, 2026What HappenedCisco released security patches on February 25 for five Catalyst SD-WAN vulnerabilities. On March 5, the company updated its advisory to warn that two of them — CVE-2026-2012 ... Read more
-
The Register
Cisco warns of two more SD-WAN bugs under active attack
Just when network admins thought the Cisco SD-WAN patch queue might finally be shrinking, Switchzilla has confirmed miscreants are exploiting more vulnerabilities in its SD-WAN management software. Th ... Read more
-
Help Net Security
March 2026 Patch Tuesday forecast: Is AI security an oxymoron?
Developers and analysts are using more AI tools to produce code and to test both the performance and security of the finished products. They are also embedding AI functionality in their products direc ... Read more
-
The Hacker News
Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities
Cisco has disclosed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) have come under active exploitation in the wild. The vulnerabilities in question are liste ... Read more
-
Help Net Security
Cisco warns of SD-WAN Manager exploitation, fixes 48 firewall vulnerabilities
Cisco has confirmed that two Catalyst SD-WAN Manager vulnerabilities (CVE-2026-20128 and CVE-2026-20122) patched in late February 2025 are being exploited by attackers. The exploited vulnerabilities ( ... Read more
-
security.nl
Cisco meldt ook misbruik van andere Catalyst SD-WAN-kwetsbaarheden
Twee kritieke kwetsbaarheden in Cisco Catalyst SD-WAN Manager worden actief misbruikt bij aanvallen, zo waarschuwt Cisco. Updates voor de problemen zijn sinds 25 februari beschikbaar. De Cisco Catalys ... Read more
The following table lists the changes that have been made to the
CVE-2026-20122 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Apr. 21, 2026
Action Type Old Value New Value Changed CPE Configuration OR *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions up to (excluding) 20.9.8.2 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.11 up to (excluding) 20.12.5.3 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.13 up to (excluding) 20.15.4.2 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.16 up to (excluding) 20.18.2.1 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.6:*:*:*:*:*:*:* OR *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions up to (excluding) 20.9.8.2 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.13 up to (excluding) 20.15.4.2 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.16 up to (excluding) 20.18.2.1 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.6:*:*:*:*:*:*:* *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.10 up to (excluding) 20.12.5.3 Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20122 Types: US Government Resource -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Apr. 20, 2026
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20122 -
Initial Analysis by [email protected]
Mar. 04, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Added CPE Configuration OR *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions up to (excluding) 20.9.8.2 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.11 up to (excluding) 20.12.5.3 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.13 up to (excluding) 20.15.4.2 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:* versions from (including) 20.16 up to (excluding) 20.18.2.1 *cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.6:*:*:*:*:*:*:* Added Reference Type Cisco Systems, Inc.: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v Types: Vendor Advisory -
New CVE Received by [email protected]
Feb. 25, 2026
Action Type Old Value New Value Added Description A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system. This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges. Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Added CWE CWE-648 Added Reference https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v