Description
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to elevate their privileges from low to high and perform actions as a high-privileged user.

This vulnerability exists because sensitive session information is recorded in audit logs. An attacker could exploit this vulnerability by elevating their read-only permissions in Cisco Catalyst SD-WAN Manager to those of a high-privileged user. A successful exploit could allow the attacker to perform actions as a high-privileged user.
Published: 2026-05-14
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the web interface of Cisco Catalyst SD‑WAN Manager, formerly known as vManage, permits an authenticated attacker that already has read‑only access to gain high‑privileged rights. The vulnerability arises because sensitive session data is logged in audit records, enabling the attacker to promote their permissions from read‑only to high. An attacker who successfully exploits this flaw can execute any operation that a high‑privileged user is authorized to perform, potentially compromising network configuration and control.

Affected Systems

Cisco Catalyst SD‑WAN Manager is the sole affected product listed by the CNA. No specific version range is provided, so all installations of the SD‑WAN Manager that use the web UI remain potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, which suggests that it is not currently exploited in the wild or has limited public exploitation data. The attack path requires an authenticated session with read‑only permissions, accessed remotely via the web UI. Once the attacker’s session is logged, they can elevate privileges in a single step, after which they can manipulate network management functions. Because this requires only read‑only access, any user with such a role is a potential attack surface.

Generated by OpenCVE AI on May 14, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Acquire and deploy the Cisco Catalyst SD‑WAN Manager security patch linked in the Cisco advisories (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-mltvnps2-JxpWm7R and https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk).
  • Restrict the use of read‑only accounts by ensuring they are assigned only the minimal device and network visibility required, and regularly review account privileges.
  • Configure audit logging or monitoring to detect anomalous privilege‑escalation events, and set alerts for any changes in user roles or session attributes.

Generated by OpenCVE AI on May 14, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco catalyst Sd-wan Manager
Vendors & Products Cisco
Cisco catalyst Sd-wan Manager

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to elevate their privileges from low to high and perform actions as a high-privileged user. This vulnerability exists because sensitive session information is recorded in audit logs. An attacker could exploit this vulnerability by elevating their read-only permissions in Cisco Catalyst SD-WAN Manager to those of a high-privileged user. A successful exploit could allow the attacker to perform actions as a high-privileged user.
Title Cisco Catalyst SD-WAN Manager Privilege Escalation Vulnerability
Weaknesses CWE-779
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Cisco Catalyst Sd-wan Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-05-15T03:56:13.953Z

Reserved: 2025-10-08T11:59:15.398Z

Link: CVE-2026-20209

cve-icon Vulnrichment

Updated: 2026-05-14T19:12:48.337Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T17:16:19.750

Modified: 2026-05-14T17:19:57.600

Link: CVE-2026-20209

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:00:09Z

Weaknesses