CVE-2026-20122
Published: 25 February 2026
Summary
CVE-2026-20122 is a medium-severity Incorrect Use of Privileged APIs (CWE-648) vulnerability in Cisco Catalyst Sd-Wan Manager. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 18.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates API inputs to prevent malicious file uploads that exploit improper file handling in Cisco Catalyst SD-WAN Manager.
Enforces approved access authorizations to block read-only credential holders from overwriting arbitrary files on the local file system.
Implements least privilege to ensure read-only API access lacks permissions for file modification and privilege escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows authenticated remote attackers to overwrite arbitrary files via the API, enabling privilege escalation to vmanage user privileges, directly mapping to Exploitation for Privilege Escalation.
NVD Description
A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on…
more
the affected system. This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.
Deeper analysisAI
CVE-2026-20122 is a vulnerability in the API of Cisco Catalyst SD-WAN Manager that stems from improper file handling on the API interface. An authenticated, remote attacker with valid read-only credentials and API access could exploit this issue to overwrite arbitrary files on the local file system of the affected system.
To exploit the vulnerability, an attacker must possess valid read-only credentials granting API access to the Cisco Catalyst SD-WAN Manager. By uploading a malicious file via the API, the attacker can overwrite arbitrary files, potentially gaining vmanage user privileges. The CVSS v3.1 base score is 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N), associated with CWE-648.
Mitigation details are available in the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20122.
Details
- CWE(s)
- KEV Date Added
- See CISA KEV catalog