MediumCISA KEVExploited in the wildPublic exploit

Arbitrary File Overwrite in Cisco Catalyst SD-WAN Manager API

IdentifiersCVE-2026-20122CWE-648· Incorrect Use of Privileged APIs

CVE-2026-20122 is a vulnerability in the API of Cisco Catalyst SD-WAN Manager that allows an authenticated remote attacker to overwrite arbitrary files on the local filesystem. According to the provided Cisco description, the issue is caused by improper file handling in the API interface of an affected system. An attacker with valid read-only credentials and API access can upload a malicious file and cause arbitrary file overwrite on the target appliance. Successful exploitation can result in privilege escalation to vManage user privileges. The provided context also notes this flaw has been observed in the wild and has been chained with other Cisco Catalyst SD-WAN Manager vulnerabilities, including CVE-2026-20128 and CVE-2026-20133, to obtain broader unauthorized access.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary overwrite of local files on the Cisco Catalyst SD-WAN Manager system. This can be used to alter application or system state and escalate privileges from a low-privileged authenticated API user to vManage user privileges. In observed attack chains, the vulnerability has contributed to unauthorized access to the SD-WAN management plane and subsequent deployment of web shells and other post-exploitation tooling.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict access to the SD-WAN Manager API and management interfaces to dedicated administrative networks only, remove direct internet exposure where feasible, and tightly limit API access to only required accounts. Review Cisco hunt and hardening guidance, monitor for indicators of compromise and unauthorized file uploads, inspect authentication and application logs for suspicious API activity, and investigate systems for signs of chained exploitation with related SD-WAN vulnerabilities. Preserve logs and forensic data and engage Cisco TAC if compromise is suspected.

Remediation

Patch, then assume compromise.

Upgrade Cisco Catalyst SD-WAN Manager to a fixed software release as specified by Cisco's security advisory. The provided context indicates Cisco released patches for this vulnerability in February 2026 and that CISA subsequently added it to the Known Exploited Vulnerabilities catalog. Organizations should follow Cisco's upgrade matrix and vendor guidance for the appropriate supported fixed release, and preserve forensic artifacts before upgrading if compromise is suspected.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Cisco SystemsCatalyst SD-WAN Managerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

83 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

83 SOURCESView more in app

bleeping computerNews

Jun 5, 2026

Cisco warns of unpatched SD-WAN zero-day exploited in attacks

A Cisco Catalyst SD-WAN-related flaw that Cisco warned was being abused in the wild.

proofpointNews

May 26, 2026

More CVEs, Same Playbook: 2026 Vulnerability Exploitation in the Wild | Proofpoint US

An authentication bypass vulnerability affecting Cisco Catalyst SD-WAN, observed in active network exploitation attempts.

cyberscoopNews

May 15, 2026

Cisco zero-day under ongoing attack by persistent threat group | CyberScoop

One of three vulnerabilities in unpatched Cisco Catalyst SD-WAN Infrastructure that were chained together in widespread in-the-wild active exploitation.

ca ccsNews

May 15, 2026

AL26-012 - Critical vulnerability affecting Cisco Catalyst SD-WAN - CVE-2026-20182 - Canadian Centre for Cyber Security

A previously reported Cisco Catalyst SD-WAN vulnerability that Cisco says continues to be exploited.

+34 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware28

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity39

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-20122

NVD

nvd.nist.gov/vuln/detail/CVE-2026-20122

MITRE CWE · CWE-648

Incorrect Use of Privileged APIs

Vendor Advisory

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20122