Skip to main content
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Arbitrary File Overwrite in Cisco Catalyst SD-WAN Manager API

IdentifiersCVE-2026-20122CWE-648· Incorrect Use of Privileged APIs

CVE-2026-20122 is an authenticated arbitrary file overwrite vulnerability in the API of Cisco Catalyst SD-WAN Manager. According to the provided content, the issue is caused by improper file handling / incorrect use of privileged APIs in the API interface of an affected system. An attacker with valid read-only credentials and API access can upload a malicious file and cause arbitrary files on the local filesystem to be overwritten. Successful exploitation can result in privilege escalation to vManage user privileges.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated remote attacker to overwrite arbitrary files on the local filesystem of the affected Cisco Catalyst SD-WAN Manager instance. This can be used to escalate privileges to vManage user privileges and perform unauthorized operations within the SD-WAN management plane. In broader observed campaigns, this flaw has been used as part of exploit chains against unpatched SD-WAN Manager infrastructure and may contribute to unauthorized access to the management plane.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict access to SD-WAN management interfaces and API endpoints to dedicated administrative networks only, remove direct internet exposure where feasible, and enforce strict network access controls around SD-WAN management infrastructure. Limit API access to only necessary accounts, review logs and hunt for indicators of compromise, and monitor for suspicious file upload activity or unauthorized changes on the appliance. Follow Cisco SD-WAN hardening guidance and relevant CISA emergency/hunt guidance referenced in the provided content.

Remediation

Patch, then assume compromise.

Upgrade Cisco Catalyst SD-WAN Manager to a fixed software release as specified by Cisco's security advisory and upgrade guidance. The provided content indicates Cisco released patches in February 2026 and that organizations should move to the appropriate fixed release for their supported deployment. If running unsupported or end-of-life releases, upgrade to a supported fixed version. Preserve forensic artifacts and review Cisco/Talos guidance for indicators of compromise before upgrading where compromise is suspected.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Cisco SystemsCatalyst SD-WAN Managerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

82 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

82 SOURCESView more in app
proofpointNews
May 26, 2026
More CVEs, Same Playbook: 2026 Vulnerability Exploitation in the Wild | Proofpoint US

An authentication bypass vulnerability affecting Cisco Catalyst SD-WAN, observed in active network exploitation attempts.

Read more
cyberscoopNews
May 15, 2026
Cisco zero-day under ongoing attack by persistent threat group | CyberScoop

One of three vulnerabilities in unpatched Cisco Catalyst SD-WAN Infrastructure that were chained together in widespread in-the-wild active exploitation.

Read more
ca ccsNews
May 15, 2026
AL26-012 - Critical vulnerability affecting Cisco Catalyst SD-WAN - CVE-2026-20182 - Canadian Centre for Cyber Security

A previously reported Cisco Catalyst SD-WAN vulnerability that Cisco says continues to be exploited.

Read more
ca ccsNews
May 15, 2026
AL26-013 - Critical vulnerability affecting Cisco Catalyst SD-WAN - CVE-2026-20182 - Canadian Centre for Cyber Security

A Cisco Catalyst SD-WAN vulnerability previously reported in February 2026 that Cisco says continues to be exploited.

Read more
+33 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware28

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity39

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-20122
NVD
nvd.nist.gov/vuln/detail/CVE-2026-20122
MITRE CWE · CWE-648
Incorrect Use of Privileged APIs
Vendor Advisory
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20122