CVE-2026-20122
Received Received - Intake
Arbitrary File Overwrite in Cisco Catalyst SD-WAN API

Publication date: 2026-02-25

Last updated on: 2026-04-21

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system. This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-04-21
Generated
2026-05-06
AI Q&A
2026-02-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-20122
EUVD
EUVD-2026-8673
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
cisco catalyst_sd-wan_manager to 20.9.8.2 (exc)
cisco catalyst_sd-wan_manager From 20.13 (inc) to 20.15.4.2 (exc)
cisco catalyst_sd-wan_manager From 20.16 (inc) to 20.18.2.1 (exc)
cisco catalyst_sd-wan_manager 20.12.6
cisco catalyst_sd-wan_manager From 20.10 (inc) to 20.12.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-648 The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability affects the API of Cisco Catalyst SD-WAN Manager and requires valid read-only API credentials to exploit. Detection involves monitoring API access and logs for suspicious activity, such as unauthorized file uploads or attempts to overwrite files on the local file system.

General security recommendations include monitoring logs for suspicious activity related to the API interface. Specific commands are not provided in the available resources.


What immediate steps should I take to mitigate this vulnerability?

Cisco recommends upgrading affected Cisco Catalyst SD-WAN Manager systems to fixed software releases such as version 20.18.2.1 or later. Earlier fixed releases include 20.9.8.2, 20.12.6.1, and 20.15.4.2.

  • Restrict system access to trusted hosts only.
  • Protect SD-WAN control components behind firewalls.
  • Disable unnecessary services such as HTTP and FTP.
  • Enforce strong administrator passwords.
  • Use SSL/TLS with valid certificates for secure communication.
  • Monitor logs for suspicious activity related to API access.

Can you explain this vulnerability to me?

This vulnerability affects the API of Cisco Catalyst SD-WAN Manager. It allows an authenticated, remote attacker who has valid read-only API credentials to overwrite arbitrary files on the local file system.

The issue arises from improper file handling in the API interface, which enables the attacker to upload malicious files. Successfully exploiting this vulnerability could allow the attacker to overwrite files on the system and gain elevated vmanage user privileges.


How can this vulnerability impact me? :

Exploiting this vulnerability could allow an attacker to overwrite arbitrary files on the affected system, potentially leading to unauthorized changes or disruptions.

The attacker could gain vmanage user privileges, which may allow further unauthorized actions within the system.

There is no known workaround, so the risk remains until the system is updated with the fixed software releases.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart