What is CVE-2026-20122?

A medium-severity vulnerability in Cisco Catalyst SD-WAN Manager could allow authenticated remote attackers to overwrite arbitrary files. Immediate patching is advised to mitigate risks.

What is the severity of CVE-2026-20122?

CVE-2026-20122 has a severity rating of MEDIUM with a CVSS base score of 5.4.

CVE-2026-20122 | Medium Vulnerability in Cisco Catalyst SD-WAN Manager

Q: Is CVE-2026-20122 in CISA KEV?

Yes. CVE-2026-20122 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations should prioritize remediation.

A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system. This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.

The severity of this vulnerability is classified as medium, with a CVSS score of 5.4. This score indicates that while the attack complexity is low, the potential impact on confidentiality and integrity is significant if successfully exploited. Organizations utilizing Cisco Catalyst SD-WAN Manager should be aware of this risk and take immediate action to mitigate it.

Currently, there is no known public exploit for this vulnerability. However, given that it has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, organizations should prioritize patching immediately. The risk to organizations includes unauthorized access and potential data manipulation, which could lead to broader security breaches.

The urgency for defenders is heightened, and organizations should address this vulnerability in their priority patch cycle. Failure to act could expose them to significant security risks.

Vulnerability Details

This vulnerability allows authenticated users to exploit the API interface of Cisco Catalyst SD-WAN Manager. The CVSS score of 5.4 indicates a medium severity level, which could lead to unauthorized file access and manipulation.

Technical Analysis

The root cause of this vulnerability stems from improper file handling within the API interface. The attack vector is network-based, and the complexity of the attack is considered low. Attackers require low privileges to exploit this vulnerability, and no user interaction is necessary. The confidentiality and integrity impacts are classified as low, while availability remains unaffected.

Risk & Impact Analysis

Real-world deployment of this vulnerability poses significant risks. If exploited, attackers could overwrite critical files, leading to unauthorized access and potential data breaches. Organizations must assess their exposure to this vulnerability and implement necessary mitigations.

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	Yes
Ransomware Use	No

Affected Versions

The affected versions of Cisco Catalyst SD-WAN Manager include all versions prior to 20.9.8.2, versions 20.10 to 20.12.5.3, versions 20.13 to 20.15.4.2, and versions 20.16 to 20.18.2.1. Additionally, version 20.12.6 is also vulnerable.

Mitigation & Remediation

Organizations should prioritize patching to the latest version of Cisco Catalyst SD-WAN Manager. If a patch is unavailable, consider implementing network segmentation and monitoring for anomalous API use as temporary mitigations. For further guidance, organizations may refer to CISA’s guidelines on assessing exposure and mitigating risks associated with Cisco SD-WAN devices.

For comprehensive strategies, organizations can refer to penetration testing services to identify and remediate vulnerabilities.

Detection Guidance

Monitoring for unusual API requests, unauthorized file uploads, and changes to critical system files is essential for detecting potential exploitation attempts. Organizations should also review access logs for any suspicious activity.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability highlights the ongoing challenges organizations face with API security. Increased awareness and proactive measures are essential to mitigate risks associated with improper file handling.

Security teams should adopt best practices for API security to prevent similar vulnerabilities.

Additionally, organizations can benefit from regular penetration testing to identify vulnerabilities before they can be exploited.

Lastly, engaging in a robust vulnerability management program can enhance overall security posture.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-20122: Medium Vulnerability in Cisco Catalyst SD-WAN Manager