HighCISA KEVExploited in the wildPublic exploit

Privilege Escalation in Cisco SD-WAN Software CLI

IdentifiersCVE-2022-20775CWE-269

CVE-2022-20775 is a privilege escalation vulnerability in the CLI of Cisco SD-WAN Software. According to Cisco, the flaw is caused by improper access controls on commands within the application CLI. An authenticated local attacker can exploit the issue by executing a maliciously crafted command in the CLI, which can result in arbitrary command execution as the root user. Supporting context also associates the vulnerability with Cisco Catalyst SD-WAN deployments and notes that it has been used operationally after attackers obtained initial privileged access, including via software downgrade to a vulnerable release.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated local attacker to elevate privileges to root and execute arbitrary commands with full system privileges on the affected Cisco SD-WAN device. In observed real-world intrusion chains, attackers used this root access to establish persistence, create local accounts, modify system state, and maintain long-term control of SD-WAN management or control-plane components.

Mitigation

If you can’t patch tonight, do this now.

Cisco states there are no workarounds that address this vulnerability. Interim risk reduction should therefore focus on preventing attackers from obtaining the prerequisite local authenticated access: restrict CLI and management-plane access to trusted administrators and networks only, remove unnecessary internet exposure of SD-WAN management/control interfaces, monitor for unauthorized software downgrade activity, and review logs and system state for signs of root-level persistence or unauthorized account creation.

Remediation

Patch, then assume compromise.

Apply Cisco's software updates that address CVE-2022-20775 by upgrading affected Cisco SD-WAN Software to a fixed release as specified in Cisco's advisory. Because attackers have been observed downgrading appliances to vulnerable versions specifically to exploit this flaw, organizations should ensure devices cannot be reverted to affected releases through the built-in update mechanism without authorization, and should investigate for compromise if downgrade activity is observed.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 3 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 3 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Cisco SystemsCatalyst SD-WAN Managerapplication

Cisco SystemsSd-Wanoperating_system

Cisco SystemsSd-Wan Vbond Orchestratorapplication

Cisco SystemsSd-Wan Vedge Cloudapplication

Cisco SystemsSd-Wan Vsmart Controllerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

75 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

75 SOURCESView more in app

the hacker newsNews

Jun 6, 2026

Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited - No Patch Available

A Cisco SD-WAN vulnerability that was flagged as actively exploited this year.

security affairsNews

Jun 5, 2026

Cisco SD-WAN Has a New Root-Level Problem, and There's No Fix Yet - Security Affairs

A path traversal vulnerability in Cisco Catalyst SD-WAN that the content says was added to CISA's Known Exploited Vulnerabilities catalog.

Jun 5, 2026

Yet another Cisco SD-WAN 0-day under attack, and no patch in sight

An older Cisco SD-WAN vulnerability highlighted alongside newer flaws in a Five Eyes warning because exploitation could lead to root takeover.

tenable blogNews

May 15, 2026

CVE-2026-20182: Cisco SD-WAN Active Exploitation | Tenable®

A Cisco SD-WAN CLI path traversal privilege escalation vulnerability used post-compromise to escalate privileges to root after initial access to SD-WAN infrastructure.

+39 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence27

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity23

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2022-20775

NVD

nvd.nist.gov/vuln/detail/CVE-2022-20775

MITRE CWE · CWE-269

cwe.mitre.org

Vendor Advisory

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-priv-E6e8tEdF

Vendor Advisory

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-priv-E6e8tEdF

Third Party Advisory

github.com/orangecertcc/security-research/security/advisories/GHSA-wmjv-552v-pxjc

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-20775