Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Arbitrary File Overwrite in Cisco Catalyst SD-WAN Manager API

IdentifiersCVE-2026-20122CWE-73

CVE-2026-20122 is an authenticated arbitrary file overwrite vulnerability in the API of Cisco Catalyst SD-WAN Manager. According to Cisco, the issue is caused by improper file handling in the API interface, allowing a remote attacker with valid read-only credentials and API access to upload a malicious file and overwrite arbitrary files on the local filesystem of the affected system. The flaw affects Cisco Catalyst SD-WAN Manager and has been described in reporting as one of several SD-WAN Manager vulnerabilities exploited in 2026. Successful exploitation can result in overwrite of attacker-chosen files and subsequent privilege gain to the vmanage user context.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A successful exploit allows an authenticated remote attacker to overwrite arbitrary files on the local filesystem of the affected Cisco Catalyst SD-WAN Manager instance. This can be used to alter application or system files and can lead to privilege escalation to vmanage user privileges. In operational terms, compromise of SD-WAN Manager can facilitate unauthorized access to the management plane and support follow-on actions against the SD-WAN environment.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict exposure of Cisco Catalyst SD-WAN Manager management interfaces and API endpoints, especially from the public internet. Limit API access to trusted administrative networks, minimize the number of accounts with API access, and review logs and indicators of compromise for suspicious file upload or overwrite activity. Apply Cisco SD-WAN hardening guidance and investigate for unauthorized changes or persistence on affected systems.

Remediation

Patch, then assume compromise.

Upgrade Cisco Catalyst SD-WAN Manager to a fixed software release as specified by Cisco's security advisory for CVE-2026-20122. Cisco has released patches for this vulnerability and has warned that it has been exploited in the wild. Organizations should follow Cisco’s upgrade matrix for the affected release train and validate that all SD-WAN Manager instances are updated.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Cisco SystemsCatalyst SD-WAN Managerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

92 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

92 SOURCESView more in app
security affairsNews
Jun 16, 2026
CVE-2026-20262: CISCO Catalyst SD-WAN Flaw Under Active Targeted Exploitation

A Cisco SD-WAN vulnerability mentioned as one of several other vulnerabilities discovered this year.

Read more
security weekNews
Jun 16, 2026
Cisco Patches Another SD-WAN Zero-Day Exploited in Attacks - SecurityWeek

A Cisco SD-WAN vulnerability listed by the article as having detected exploitation in 2026.

Read more
the hacker newsNews
Jun 16, 2026
Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw

A previously flagged actively exploited Cisco SD-WAN vulnerability referenced for context only.

Read more
help net securityNews
Jun 16, 2026
Cisco discloses second exploited SD-WAN vulnerability in two weeks (CVE-2026-20262) - Help Net Security

An arbitrary file overwrite vulnerability in Cisco Catalyst SD-WAN Manager that the article says attackers have been exploiting as a zero- or n-day.

Read more
+42 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware28

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity40

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-20122
NVD
nvd.nist.gov/vuln/detail/CVE-2026-20122
MITRE CWE · CWE-73
cwe.mitre.org
Vendor Advisory
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20122