CVE-2026-20126
Published: 25 February 2026
Summary
CVE-2026-20126 is a high-severity Incorrect Use of Privileged APIs (CWE-648) vulnerability in Cisco Catalyst Sd-Wan Manager. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient user authentication mechanism in the REST API exploited for privilege escalation.
Enforces least privilege to prevent low-privilege authenticated attackers from escalating to root access on the underlying OS.
Requires enforcement of approved authorizations, countering the REST API's failure to properly restrict access based on user privileges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation from low-priv authenticated REST API access to root on the underlying OS.
NVD Description
A vulnerability in Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker with low privileges to gain root privileges on the underlying operating system. This vulnerability is due to an insufficient user authentication mechanism in the REST API. An…
more
attacker could exploit this vulnerability by sending a request to the REST API of the affected system. A successful exploit could allow the attacker to gain root privileges on the underlying operating system.
Deeper analysisAI
CVE-2026-20126 is a privilege escalation vulnerability in Cisco Catalyst SD-WAN Manager, stemming from an insufficient user authentication mechanism in the REST API. This flaw affects the software's underlying operating system, enabling an authenticated attacker with low privileges to elevate access. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-648 (Incorrect Implementation of Authentication).
An authenticated, local attacker with low privileges can exploit this vulnerability by sending a crafted request to the REST API of the affected system. Successful exploitation allows the attacker to gain root privileges on the underlying operating system, potentially leading to full compromise of the SD-WAN Manager instance.
For mitigation details, refer to the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v, which was published on 2026-02-25.
Details
- CWE(s)