Cisco Catalyst SD-WAN Manager Arbitrary File Overwrite via Privileged API (CVE-2026-20122)
Severity Assessment
- Exploitability: 6/10 — Requires valid read-only API credentials; credential theft from monitoring integrations or ITSM tooling is a realistic initial vector
- Impact: 7/10 — Arbitrary file overwrite on the SD-WAN management plane enables route manipulation and privilege escalation across the entire managed network
- Weaponization Risk: 8/10 — Active exploitation confirmed by Cisco PSIRT; chained with CVE-2026-20128 and CVE-2026-20133 in multi-stage attack sequences observed in the wild
- Patch Urgency: 10/10 — CISA KEV-listed with an elapsed federal remediation deadline (2026-04-23); CISA issued a Supplemental Emergency Directive for Cisco SD-WAN systems
- Detection Coverage: 5/10 — API-level file upload activity is difficult to distinguish from legitimate management operations without purpose-built logging and behavioral baselines
Summary
CVE-2026-20122 is an arbitrary file overwrite vulnerability in the API of Cisco Catalyst SD-WAN Manager (formerly vManage), the centralized management platform for Cisco SD-WAN deployments. The flaw stems from incorrect use of privileged file-handling APIs (CWE-648): the API endpoint processes file upload operations with elevated system privileges without enforcing access boundaries relative to the caller’s credential tier.
An authenticated remote attacker with valid read-only API credentials can upload a crafted file through the vulnerable endpoint, causing the server to write that file to an attacker-controlled path on the local file system. A successful exploit allows the attacker to overwrite arbitrary files on the Cisco Catalyst SD-WAN Manager host and subsequently gain vManage user privileges — an escalation from read-only access.
The vulnerability carries a CVSS 3.1 base score of 5.4 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. While the base score is classified Medium, the operational risk is higher: SD-WAN Manager controls the network fabric for potentially thousands of branch sites, meaning an attacker who compromises it can manipulate routing, intercept traffic, and stage lateral movement across the entire SD-WAN overlay.
Cisco PSIRT confirmed active exploitation in March 2026. watchTowr observed attack attempts from numerous unique IP addresses with threat actors deploying web shells. The largest exploitation spike occurred on 2026-03-04, with activity spread globally and slightly elevated concentration in US-based infrastructure. CISA added CVE-2026-20122 to the Known Exploited Vulnerabilities catalog on 2026-04-20 and issued Supplemental Direction under Emergency Directive 26-03 with a remediation deadline of 2026-04-23.
Authentication requirement: The attacker must hold valid SD-WAN Manager credentials with read-only API access. Read-only accounts are commonly provisioned for monitoring integrations, ITSM tools, and third-party analytics platforms, broadening the pool of credentials a threat actor could target. There are no workarounds; Cisco recommends immediate patching to the following fixed releases: 20.9.x → 20.9.8.2; 20.12.x → 20.12.5.3 or 20.12.6.1; 20.13–20.15 → 20.15.4.2; 20.16/20.18 → 20.18.2.1; versions prior to 20.9 should migrate to a fixed release.
Exploitation was confirmed after Cisco released patches. The entry is catalogued here because it is CISA KEV-listed and operationally critical as an actively exploited network infrastructure threat.
Exploit Chain
The following attack sequence reflects the multi-CVE chaining observed in wild exploitation as reported by Cisco PSIRT and watchTowr.
Stage 1: Credential Acquisition
The attacker obtains read-only API credentials for the target Cisco Catalyst SD-WAN Manager instance. Observed or inferred vectors include phishing campaigns targeting network operations personnel, credential harvesting from management workstations, exploitation of CVE-2026-20133 (information disclosure) to extract credentials from unauthenticated API responses, and credential stuffing against exposed management interfaces.
Stage 2: API Reconnaissance
Using read-only credentials, the attacker queries the SD-WAN Manager API to enumerate the managed SD-WAN topology: branch site inventory, device types, firmware versions, and network segmentation. This reconnaissance is structurally identical to legitimate API polling by authorized monitoring tools and generates low-noise telemetry.
Stage 3: Arbitrary File Overwrite via Vulnerable API Endpoint
The attacker crafts a multipart file upload request to the vulnerable API endpoint, specifying an attacker-controlled destination path. The SD-WAN Manager processes the request using its privileged file-handling API without enforcing a path restriction tied to the caller’s read-only role, writing the attacker’s payload to the specified path. Target paths in confirmed incidents included configuration files parsed at service startup, authentication credential stores, and scheduled task scripts.
Stage 4: Privilege Escalation to vManage
By overwriting a file subsequently parsed or executed with vManage-level privileges, the attacker escalates from read-only API access to vManage user access on the SD-WAN Manager host. In observed attack chains, this step was combined with CVE-2026-20128 (passwords stored in recoverable format) to additionally extract Data Collection Agent (DCA) credentials.
Stage 5: Persistent Foothold and Network-Wide Impact
With vManage access, the attacker deploys web shells on the SD-WAN Manager host for persistent command execution — confirmed in watchTowr telemetry. From the SD-WAN Manager control plane, the attacker can push malicious device configurations to managed SD-WAN nodes across all managed sites, reroute traffic through attacker-controlled egress, intercept branch-to-branch communications, and stage further lateral movement into branch networks.
Detection Guidance
Network and API monitoring:
- Alert on API file upload requests from read-only credential sessions; legitimate read-only integrations do not perform file uploads
- Monitor SD-WAN Manager API access logs for elevated request rates from a single source IP or credential, particularly during off-hours
- Flag API requests containing path-traversal sequences (
../,%2e%2e%2f) in upload destination parameters
Host-based detection:
- Audit file system changes on the SD-WAN Manager host in
/opt/web/,/etc/vmanage/, and directories containing configuration or credential files - Monitor for new files with web-accessible extensions (
.jsp,.war,.php,.py,.sh) written outside expected deployment directories — indicative of web shell staging - Review SD-WAN Manager service logs (
/var/log/nms/) for unexpected errors or restarts following file overwrites targeting startup configurations
Authentication anomalies:
- Alert on privilege changes for existing SD-WAN Manager accounts, particularly read-only accounts gaining elevated access
- Review audit logs for operations inconsistent with assigned roles, such as device configuration pushes from read-only sessions
Network egress from the management host:
- Monitor outbound connections from the SD-WAN Manager host against approved allowlists; web-shell-associated C2 beaconing was observed in confirmed compromises
- Alert on DNS lookups or outbound HTTPS from the management segment to ranges not associated with Cisco update infrastructure
Indicators of Compromise
The following indicators are derived from watchTowr incident response telemetry and Cisco PSIRT advisories published in March 2026. Organizations with internet-exposed SD-WAN Manager instances should treat those systems as potentially compromised until forensic review is complete.
- Unexpected files with
.jsp,.war,.py, or.shextensions in web-accessible directories of the SD-WAN Manager host - New or modified system account entries not provisioned by the organization
- SD-WAN Manager API audit logs showing multipart upload requests from read-only credential sessions to non-standard destination paths
- Outbound connections from the SD-WAN Manager host to IP ranges not matching Cisco update servers or organizational network policy
- SD-WAN device configuration changes not recorded in the organization’s change management system, particularly route policy or interface modifications across managed branch nodes
Disclosure Timeline
| Date | Event |
|---|---|
| February 2026 (approx.) | Cisco releases patches for CVE-2026-20122 and related SD-WAN Manager vulnerabilities as part of advisory cisco-sa-sdwan-authbp |
| 2026-03-04 | Largest observed spike in active exploitation; watchTowr records attack attempts from numerous unique global IP addresses |
| 2026-03-05 | Cisco PSIRT updates the security advisory to explicitly confirm active exploitation of CVE-2026-20122 and CVE-2026-20128 in the wild |
| 2026-03-06 | The Hacker News and other media report on Cisco’s exploitation confirmation; watchTowr notes web shell deployments on compromised instances |
| 2026-04-20 | CISA adds CVE-2026-20122 to the Known Exploited Vulnerabilities catalog; CISA issues Supplemental Direction under Emergency Directive 26-03 |
| 2026-04-23 | CISA federal agency remediation deadline (elapsed) |
| 2026-04-24 | Threatpedia entry published |
Sources & References
- CISA: Known Exploited Vulnerabilities Catalog — CISA, 2026-04-20
- NIST National Vulnerability Database: CVE-2026-20122 — NIST National Vulnerability Database, 2026-04-20
- CISA: Supplemental Direction ED-26-03 Hunt and Hardening Guidance for Cisco SD-WAN Systems — CISA, 2026-04-20
- Cisco Systems: Cisco Catalyst SD-WAN Manager Vulnerabilities Advisory (cisco-sa-sdwan-authbp-qwCX8D4v) — Cisco Systems, 2026-03-05
- The Hacker News: Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities — The Hacker News, 2026-03-06