CVE-2026-20122

What is Cisco Catalyst SD-WAN Manager?

Cisco Catalyst SD-WAN Manager (formerly known as vManage) is the centralized network management and orchestration platform for Cisco's Software-Defined WAN (SD-WAN) solution. It provides a single-pane-of-glass dashboard through which administrators configure, monitor, and manage up to 6,000 SD-WAN routers, branch devices, and edge nodes from one console.

As the management plane for an organization's entire WAN infrastructure, SD-WAN Manager is an exceptionally high-value target. Compromising it grants control over routing policies, VPN configurations, network segmentation, and traffic flows across the organization. An attacker with vManage administrator access can effectively reroute, intercept, or disrupt all traffic on the managed WAN.

CVE-2026-20122 is one of three Cisco SD-WAN Manager vulnerabilities added to CISA's KEV catalog on April 20, 2026 (alongside CVE-2026-20128 and CVE-2026-20133). All three are part of the same Cisco security advisory and have been exploited as part of a chained attack campaign against SD-WAN infrastructure.

Overview

CVE-2026-20122 is an incorrect use of privileged APIs vulnerability in the API interface of Cisco Catalyst SD-WAN Manager. An authenticated attacker with read-only credentials and API access can upload a malicious file via the API, which is then used to overwrite arbitrary files on the local file system, ultimately allowing the attacker to escalate privileges to vManage user level.

While a CVSS score of 5.4 might suggest moderate severity, this CVE is a critical link in the SD-WAN attack chain being actively exploited in the wild. Attackers chain it with CVE-2026-20133 (unauthenticated information disclosure) and CVE-2026-20128 (credential exposure) to achieve full management plane takeover.

Affected Versions

There are no workarounds for this vulnerability — upgrade is the only remediation.

Technical Details

The vulnerability is in the API interface of Cisco Catalyst SD-WAN Manager. The API is designed to allow authenticated users to perform management operations, including uploading configuration files and templates. However, the API's file handling logic does not properly restrict which files can be overwritten on the local filesystem.

An attacker with valid read-only API credentials (a lower-privilege level than full administrator) can:

1. Upload a malicious file via a crafted API request
2. Direct the file to overwrite an arbitrary file on the SD-WAN Manager filesystem
3. Leverage the overwritten file to escalate privileges to vManage user level — a higher-privilege role

The CWE-648 classification ("Incorrect Use of Privileged APIs") reflects that the file handling API operates with elevated system privileges but does not enforce adequate access controls on what can be overwritten.

Attack characteristics:

• Authentication required: Yes — valid read-only API credentials
• Attack complexity: Low
• Network-accessible: Yes
• User interaction: None

The Three-CVE Attack Chain

Security researchers at Suzu Labs described the chained exploitation scenario involving all three Cisco SD-WAN CVEs added to KEV on April 20, 2026:

1. CVE-2026-20133 (unauthenticated info disclosure): Enumerate sensitive files and configuration through the API without credentials
2. CVE-2026-20128 (DCA credential exposure): Harvest the stored Data Collection Agent (DCA) user credentials from the accessible credential file
3. CVE-2026-20122 (this CVE): Use the harvested DCA credentials as the "read-only API access" needed to upload and overwrite files, escalating to full vManage administrator

The full chain requires no initial credentials and results in complete SD-WAN management plane compromise — controlling the routing and configuration of the entire enterprise WAN.

Exploitation Context

Cisco confirmed active exploitation of CVE-2026-20122 and CVE-2026-20128 in early March 2026. This exploitation followed the earlier CISA Emergency Directive ED 26-03 (February 25, 2026), which was triggered by exploitation of the related CVE-2026-20127 (CVSS 10.0 — full authentication bypass). The SD-WAN Manager attack campaign represents a sustained, multi-CVE effort by threat actors to compromise enterprise WAN management infrastructure.

The three CVEs added to KEV on April 20, 2026 (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) were discovered by Arthur Vidineyev of Cisco's Advanced Security Initiatives Group (ASIG) during internal security testing.

Remediation

1. Upgrade Cisco Catalyst SD-WAN Manager to the fixed version for your release train: 20.9.8.2, 20.12.5.3 (or 20.12.6.1), 20.15.4.2, or 20.18.2.1. Consult the Cisco Catalyst SD-WAN Upgrade Matrix for compatibility guidance.
2. Follow CISA Emergency Directive ED 26-03 — the directive includes specific threat hunting procedures and hardening steps beyond just patching. See CISA ED 26-03.
3. Implement network isolation — restrict access to the SD-WAN Manager web interface (typically port 443/8443) to only authorized administrator IP ranges via firewall ACLs. It should never be exposed to the public internet.
4. Review API access logs for unusual file upload operations, unexpected API calls from read-only accounts, and privilege escalation indicators.
5. Rotate all SD-WAN Manager credentials, including read-only API accounts, after patching — treat existing credentials as potentially compromised.
6. If compromise is suspected: follow CISA's guidance to deploy new vManage/vSmart/vBond instances from clean patched images and migrate edge devices to the rebuilt infrastructure.