Description
A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system.

This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.
Published: 2026-02-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Overwrite leading to potential privilege escalation
Action: Immediate Patch
AI Analysis

Impact

A remote authenticated attacker with read‑only API credentials can upload a malicious file to Cisco Catalyst SD‑WAN Manager. The API improperly handles file names, allowing the attacker to overwrite any file on the local file system. By replacing critical files the attacker can gain vmanage user privileges and compromise system integrity. The flaw is classified as CWE‑648: Unrestricted Write to Arbitrary File.

Affected Systems

Affected products include Cisco Catalyst SD‑WAN Manager, notably version 20.12.6 and potentially earlier releases as indicated by the CPE strings. The vulnerability exists in the API layer that processes file uploads.

Risk and Exploitability

The CVSS v3.1 base score is 5.4, indicating moderate impact, while the EPSS score is below 1%, suggesting a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires remote access to the API with valid, albeit read‑only, credentials, so the attack vector is remote authenticated with limited initial privileges. If successful, the attacker can overwrite arbitrary files and elevate privileges, representing a significant security concern.

Generated by OpenCVE AI on April 16, 2026 at 06:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch or upgrade Cisco Catalyst SD‑WAN Manager to the fixed release documented in the Cisco advisory.
  • Delete or revoke any read‑only API users that are unnecessary and enforce least privilege for remaining accounts.
  • If an immediate patch is unavailable, temporarily disable the file upload endpoint or restrict it to non‑system directories to prevent overwriting critical files.

Generated by OpenCVE AI on April 16, 2026 at 06:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.6:*:*:*:*:*:*:*

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco catalyst Sd-wan Manager
Vendors & Products Cisco
Cisco catalyst Sd-wan Manager

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system. This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system&nbsp;and gain vmanage user privileges.
Title Cisco Catalyst SD-WAN Manager Arbitrary File Overwrite Vulnerability
Weaknesses CWE-648
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Cisco Catalyst Sd-wan Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-20T21:47:05.503Z

Reserved: 2025-10-08T11:59:15.377Z

Link: CVE-2026-20122

cve-icon Vulnrichment

Updated: 2026-02-25T18:14:22.592Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T17:25:28.170

Modified: 2026-03-04T21:25:22.193

Link: CVE-2026-20122

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:15:26Z

Weaknesses