CVE-2022-20775

Cisco SD-WAN CLI — Relative Path Traversal to Root, Re-Weaponised by UAT-8616 via Deliberate Firmware Downgrade in 2026 Campaign
⚠️ CVSS 3.1  7.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Cisco SD-WAN Software?

Cisco SD-WAN Software is the operating system running on Cisco Catalyst SD-WAN controllers (vSmart), managers (vManage), orchestrators (vBond), and edge devices. It provides a CLI for administration and diagnostic operations. This CLI exposes commands that the SD-WAN software uses internally to manage device operation — and CVE-2022-20775 demonstrates that certain commands within that CLI do not adequately enforce the privilege boundary between a low-privileged authenticated user and the root user.

CVE-2022-20775 was originally disclosed in September 2022 and fixed with a patch. It reached the CISA Known Exploited Vulnerabilities catalog in February 2026 — three and a half years later — because it was actively re-weaponised by threat actor UAT-8616 as the root escalation step in a sophisticated firmware downgrade attack chain exploiting CVE-2026-20127.

Overview

Actively Exploited — Re-Weaponised in 2026 Campaign. CVE-2022-20775 was added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on February 25, 2026 — simultaneously with CVE-2026-20127 — because it was exploited as the root escalation step in a sophisticated multi-year SD-WAN attack campaign attributed to UAT-8616. The attacker deliberately downgraded patched systems to a vulnerable firmware version, exploited this CVE to escalate to root, then restored the original firmware to conceal the attack. Patching is the only mitigation.

CVE-2022-20775 is a path traversal privilege escalation vulnerability in the CLI of Cisco SD-WAN Software. Due to improper access controls on commands within the application CLI, an authenticated local attacker can craft a command using relative path traversal sequences that bypasses the privilege enforcement and executes arbitrary commands as the root user.

Affected Versions

Status Cisco SD-WAN Software Release First Fixed Release
Vulnerable 18.4 and earlier Migrate to a fixed release
Vulnerable 19.2 Migrate to a fixed release
Vulnerable 20.3 Migrate to a fixed release
Vulnerable 20.6 prior to 20.6.3 20.6.3
Vulnerable 20.7 prior to 20.7.2 20.7.2
Vulnerable 20.8 prior to 20.8.1 20.8.1
Vulnerable 20.9+ Apply 2026 patch bundle: 20.9.8.2, 20.12.5.3, 20.15.4.2, or 20.18.2.1
Note: Cisco SD-WAN Software running the 2026 fixed release train (20.9.8.2 and later) addresses both CVE-2022-20775 and CVE-2026-20127 simultaneously.

There are no workarounds — patching is the only mitigation.

Technical Details

The vulnerability is in the Cisco SD-WAN CLI — the command-line interface available to authenticated users on SD-WAN software devices (vSmart, vManage, vBond, and edge devices). The CLI enforces a privilege boundary intended to restrict certain sensitive operations to the root user. CVE-2022-20775 demonstrates that this enforcement is bypassable: commands accept path-like inputs containing relative path traversal sequences (../../, or newline-combined path segments like /\n&../\n&../) that the access control logic fails to normalise before applying privilege checks.

By crafting CLI commands with these traversal sequences, an authenticated attacker with low-privilege CLI access can cause the command execution context to resolve to root-owned paths and execute arbitrary commands with root privileges. The vulnerability was disclosed alongside CVE-2022-20818 (CWE-282 — Improper Ownership Management) in the same Cisco advisory, which covers a related but distinct privilege enforcement issue in the same CLI.

Attack characteristics:

  • Authentication required: Yes — low-privilege authenticated access to the device CLI
  • Attack vector: Local — direct CLI access to the device (SSH session or console)
  • Attack complexity: Low once CLI access is established
  • Scope: Unchanged — execution reaches root on the same device

How UAT-8616 Re-Weaponised a Patched Vulnerability

The operational sophistication of the UAT-8616 campaign lies in how it used CVE-2022-20775 despite the patch being available since 2022. The attack chain documented by Cisco Talos and detailed in the ACSC threat hunt guide:

  1. Gain fabric access via CVE-2026-20127 — authenticate to the SD-WAN controller as vmanage-admin using the peering authentication bypass
  2. Invoke the built-in Cisco SD-WAN software update mechanism to deliberately downgrade the controller to a software version prior to the CVE-2022-20775 fix (20.6.3 / 20.7.2 / 20.8.1 or earlier)
  3. Exploit CVE-2022-20775 via the CLI on the now-vulnerable controller to execute arbitrary commands as root
  4. Restore the original software version using the same update mechanism — leaving the controller running the expected version as if nothing occurred
  5. Establish persistence under root: add SSH authorised keys, create local accounts, modify startup scripts
  6. Destroy forensic evidence: purge auth.log, clear command history

The firmware restore step is the critical anti-forensic element. A defender checking the current software version after the attack will observe the expected version. The only evidence of the downgrade is the version transition log — which UAT-8616 also attempted to clear. Detection requires looking for specific event messages in SD-WAN logs during the downgrade window, even when the current version appears correct.

Detection signatures for the downgrade event (SD-WAN system logs):

  • "Software upgrade not confirmed"
  • "revert to previous software version"
  • "Waiting for upgrade confirmation from user"

CLI path traversal indicators:

  • Log entries containing /../../ or /\n&../\n&../ in CLI command records

Discovery

CVE-2022-20775 was disclosed by Cisco in security advisory cisco-sa-sd-wan-priv-E6e8tEdF on September 28, 2022, alongside CVE-2022-20818. The original disclosure was routine — a high-severity local privilege escalation in SD-WAN CLI, patched without evidence of exploitation at the time of disclosure.

Its addition to the CISA KEV catalog in February 2026 — three and a half years after the original patch — is unusual and significant: it confirms that a threat actor deliberately sought out and weaponised a vulnerability for which a patch had long been available, by engineering a technique (firmware downgrade) to temporarily restore a device to a vulnerable state. This demonstrates a level of pre-attack research and operational sophistication that goes beyond opportunistic exploitation of unpatched systems.

Remediation

  1. Apply the 2026 patch bundle for your Cisco SD-WAN release train: 20.9.8.2, 20.12.5.3 (or 20.12.6.1), 20.15.4.2, or 20.18.2.1. These versions address both CVE-2022-20775 and CVE-2026-20127 together.
  2. Restrict software downgrade capabilities — review your SD-WAN deployment's software management policies. Where operationally possible, disable or restrict the use of the built-in version downgrade mechanism on SD-WAN controllers. Unauthorised use of the upgrade/downgrade mechanism should generate an alert.
  3. Review version change history on all SD-WAN controllers for unexplained transitions to older versions — even if the device is currently running the expected version, a prior downgrade event is a strong indicator of UAT-8616 activity.
  4. Inspect startup scripts, SSH authorised keys, and local accounts on SD-WAN controllers for additions not made by your team.
  5. Follow the full CISA Hunt & Hardening Guidance for Cisco SD-WAN Devices, which includes specific indicators of compromise for the UAT-8616 post-exploitation toolkit.

Key Details

PropertyValue
CVE ID CVE-2022-20775
Vendor / Product Cisco — SD-WAN
NVD Published2022-09-30
NVD Last Modified2026-02-26
CVSS 3.1 Score7.8
CVSS 3.1 VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-25 — Relative Path Traversal
CISA KEV Added2026-02-25
CISA KEV Deadline2026-02-27
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-02-27. Please adhere to CISA's guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlined in CISA's Emergency Directive 26-03 and CISA's Hunt & Hardening Guidance for Cisco SD-WAN Devices. Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Timeline

DateEvent
2022-09-28Cisco publishes advisory cisco-sa-sd-wan-priv-E6e8tEdF disclosing CVE-2022-20775 alongside CVE-2022-20818; patches available
2022-09-30CVE-2022-20775 published at NVD
2023-01-01UAT-8616 begins incorporating CVE-2022-20775 into SD-WAN attack chains via deliberate firmware downgrade technique (Cisco Talos assessment)
2026-02-25Added to CISA KEV alongside CVE-2026-20127; CISA issues Emergency Directive ED 26-03 — CVE-2022-20775 identified as active exploitation component in the UAT-8616 campaign
2026-02-27CISA ED 26-03 / BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2022-20775 Vulnerability Database
Cisco Security Advisory — cisco-sa-sd-wan-priv-E6e8tEdF Vendor Advisory / Patch
CISA Emergency Directive ED 26-03 — Mitigate Vulnerabilities in Cisco SD-WAN Systems US Government
CISA Supplemental Direction ED 26-03 — Hunt & Hardening Guidance for Cisco SD-WAN Devices US Government
CISA KEV Catalog Entry US Government
CISA BOD 22-01 Remediation Directive
CWE-25 — Relative Path Traversal Weakness Classification

Last updated: 2026-04-22

Gavin Hollinger & AI assembled this air-gap friendly HTML