CVE-2026-20122

Feb. 25, 2026, 5:25 p.m.

5.4
Medium

Description

A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system. This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.

Product(s) Impacted

Vendor Product Versions
Cisco
  • Catalyst Sd-wan Manager
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-648
Incorrect Use of Privileged APIs
The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a cisco catalyst_sd-wan_manager / / / / / / / /

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v

Tags

CWE-648
[email protected]
2026-02-25
CVE-2026-20122

CVSS Score

5.4 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

    View Vector String

Timeline

Published: Feb. 25, 2026, 5:25 p.m.
Last Modified: Feb. 25, 2026, 5:25 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

Linked Attack Reports

Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

Cisco Talos tracks active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, allowing remote attackers to obtain administrative privileges. The exploitation is attributed to UAT-8616, a sophisticated threat actor previously involv…
xmrig
credential theft
sliver
godzilla
behinder
webshells
gsocket
cryptocurrency mining
authentication bypass
cisco
adaptixc2
CVE-2026-20122
CVE-2026-20127
CVE-2026-20128
CVE-2026-20133
2026-05-14
CVE-2026-20182
kscan
nimplant
sd-wan
xenshell
Published: May 14, 2026
Linked vulnerabilities : CVE-2025-20333 (CVSS 9.9), CVE-2025-20362 (CVSS 6.5), CVE-2026-20122 (CVSS 5.4), CVE-2026-20127 (CVSS 10.0), CVE-2026-20128 (CVSS 7.5), CVE-2026-20133 (CVSS 6.5), CVE-2026-20182 (CVSS 10.0)
Downloadable IOCs: 24

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.