A flaw in the Cisco Catalyst SD-WAN Manager API lets an authenticated attacker with read-only credentials overwrite arbitrary files and escalate to vmanage user privileges. CISA added it to the KEV catalog on 2026-04-20 and issued Emergency Directive 26-03 the same day, setting a remediation deadline of 2026-04-23.
What Is It
CVE-2026-20122 is an incorrect use of privileged APIs vulnerability (CWE-648) in the API interface of Cisco Catalyst SD-WAN Manager. Improper file handling on the API allows an authenticated, remote attacker to upload a malicious file to the local filesystem and overwrite arbitrary files. A successful exploit grants the attacker vmanage user privileges. The attacker needs valid read-only credentials with API access; no user interaction is required.
NVD assigns a CVSS 3.1 base score of 5.4 (MEDIUM), vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N.
Why It Matters
SD-WAN Manager (formerly vManage) is the central control plane for Cisco SD-WAN deployments; compromise of a vmanage user reaches deep into network orchestration and policy. CISA added the CVE to its Known Exploited Vulnerabilities catalog on 2026-04-20, confirming active exploitation in the wild, and issued Emergency Directive 26-03 the same day with a remediation due date of 2026-04-23. Known ransomware use is currently listed as Unknown.
The low privilege bar, read-only API credentials are enough, meaningfully widens the attacker pool inside any organization with broad SD-WAN Manager API access.
What's Vulnerable
Cisco Catalyst SD-WAN Manager, in the following version ranges:
- All versions prior to 20.9.8.2
- 20.10 through versions prior to 20.12.5.3
- 20.13 through versions prior to 20.15.4.2
- 20.16 through versions prior to 20.18.2.1
- 20.12.6 (specifically listed as vulnerable)
Patch Status
Fixed releases per the NVD configuration data: 20.9.8.2, 20.12.5.3, 20.15.4.2, and 20.18.2.1. See the Cisco PSIRT advisory for the authoritative upgrade guidance.
CISA's required action: follow the mitigations in Emergency Directive 26-03 and the supplemental "Hunt & Hardening Guidance for Cisco SD-WAN Devices," apply BOD 22-01 for cloud services, or discontinue use of the product if mitigations are not available.