External risk intelligence

Cisco Catalyst SD-WAN Manager could allow authenticated attackers to gain elevated system access.

Cisco Catalyst SD-WAN Manager could allow external attackers with compromised read-only credentials to gain administrative privileges, potentially granting full control over the SD-WAN infrastructure. This flaw is being actively exploited, posing a critical risk to internet-exposed management consoles.

NVD published February 25, 2026 (3 months ago)

External risk briefKnown Exploit

CVE-2026-20122

Exposure facts

Severity

MEDIUM

Published by NVD

February 25, 2026 (3 months ago)

H – Horizon Alert

A security vulnerability in Cisco Catalyst SD-WAN Manager involves improper file handling within the system's API interface. This flaw could allow an attacker who already holds valid, read-only credentials to overwrite arbitrary files on the local system. Ultimately, this presents a risk where an unauthorized user might gain elevated vmanage user privileges, potentially compromising the integrity of the management platform.

A – Asset Exposure

This vulnerability impacts the Cisco Catalyst SD-WAN Manager, a management platform that typically resides within network infrastructure. Exploitation requires an attacker to already possess valid, read-only credentials with API access, limiting the primary risk to compromised internal accounts. If accessed, the issue allows for the overwriting of arbitrary files, which could result in a privilege escalation to admin-level access. This could potentially disrupt operational systems or compromise the integrity of the management environment.

L – Live Threat

There is documented evidence of active exploitation, as this issue has been officially added to the CISA Known Exploited Vulnerabilities catalog. An attacker with valid read-only credentials could leverage this flaw to overwrite arbitrary system files and gain unauthorized elevated privileges. Because this threat is actively tracked and observed, it presents a verified security risk to environments utilizing this software.

O – Operational Fix

Please prioritize immediate compliance with CISA Emergency Directive 26-03 and the associated Hunt & Hardening Guidance for Cisco SD-WAN devices. We recommend that your operations teams assess current deployments and implement the specific security controls required by CISA. Please consult vendor-provided resources to determine if an update or mitigation is available for your environment. If effective mitigations cannot be implemented, please evaluate the guidance for cloud services or determine if discontinuing the use of this product is required to maintain your security posture.