Cisco Catalyst SD-WAN Manager file overwrite exploited in the wild (CVE-2026-20122)

Actively exploited in the wild - CVE-2026-20122 is a medium file-overwrite vulnerability in Cisco Catalyst SD-WAN Manager that lets an attacker with read-only API access escalate privileges to the vmanage user. Patches are available from Cisco; no workarounds exist.

Overview

A security vulnerability in the API of Cisco Catalyst SD-WAN Manager (formerly vManage) allows an attacker with valid read-only credentials to overwrite files on the system. This flaw is being actively exploited in attacks, according to CISA.

Vulnerability Details

The vulnerability, tracked as CVE-2026-20122, stems from improper file handling in the API interface. An authenticated attacker with read-only API access can upload a malicious file to the local file system. A successful exploit allows the attacker to overwrite arbitrary files, which can be leveraged to escalate privileges to those of the vmanage user on the affected appliance. The CVSS v3.1 base score is 5.4 (Medium).

Impact and Exploitation

While exploitation requires an attacker to first obtain valid read-only credentials, this vulnerability provides a clear path from a low-privilege account to full system compromise. The ability to overwrite critical system files can lead to persistent backdoors, service disruption, or further lateral movement within a software-defined wide area network (SD-WAN) environment. This vulnerability is confirmed to be actively exploited in the wild.

Affected Products and Remediation

This vulnerability affects Cisco Catalyst SD-WAN Manager. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Immediate Action Required:

• Identify all instances of Cisco Catalyst SD-WAN Manager in your environment.
• Upgrade to a fixed software release as specified in the Cisco Security Advisory.
• Review and audit accounts with API access, ensuring the principle of least privilege is enforced and that read-only credentials are not unnecessarily widespread.

Security Insight

This vulnerability highlights a recurring pattern in network management software where API endpoints designed for benign operations, like file uploads, lack sufficient validation and isolation. Similar to past incidents like the Interlock ransomware exploiting a Cisco FMC zero-day, it demonstrates how attackers are targeting management planes to gain deep footholds in critical infrastructure. The inclusion in CISA’s Known Exploited Vulnerabilities catalog, despite a medium CVSS score and low EPSS probability, underscores that real-world attacker behavior often prioritizes reliable, authenticated paths to privilege escalation over noisier, unauthenticated exploits.

Further Reading

• Interlock Ransomware Exploits Cisco FMC Zero-Day
• CISA Warns of Zimbra, SharePoint Exploits; Cisco
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• All Medium Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs