A medium-severity vulnerability in Cisco Catalyst SD-WAN Manager, tracked as CVE-2026-20122, is currently being exploited in the wild. This flaw, which was disclosed on February 25, 2026, allows authenticated remote attackers to overwrite arbitrary files on the local file system. The vulnerability, identified as CWE-648, requires attackers to possess valid read-only credentials with API access to the affected system.
Despite its medium CVSS score of 5.4, the vulnerability's presence on CISA's Known Exploited Vulnerabilities (KEV) catalog since April 20, 2026, underscores its active exploitation. The Exploit Prediction Scoring System (EPSS) for this vulnerability is relatively low at 0.011, yet attackers have been quick to leverage it, with exploitation occurring within just over seven days of its disclosure.
The vulnerability affects Cisco Catalyst SD-WAN Manager, a critical component for managing wide-area networks, making it a significant target for attackers aiming to disrupt network operations or gain unauthorized access to sensitive data. The exploitation of this flaw highlights the importance of securing API endpoints and ensuring that even users with limited access cannot perform unauthorized actions.
Cisco has not yet released a patch for this vulnerability, leaving systems potentially exposed. Organizations using Cisco Catalyst SD-WAN Manager should immediately review their access controls and monitor for any unusual activity that might indicate exploitation attempts. Until a patch is available, restricting API access to trusted users and networks can help mitigate the risk of exploitation.
CSURFACE