CVE-2026-20122

Published Feb 25, 2026

Last updated 5 days ago

CVSS medium 5.4
OT

Overview

Description
A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system. This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.
Source
psirt@cisco.com
NVD status
Analyzed
Products
catalyst_sd-wan_manager

Risk scores

CVSS 3.1

Type
Primary
Base score
5.4
Impact score
2.5
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

psirt@cisco.com
CWE-648

Social media

Hype score
Not currently trending

  1. PoC is now public for CVE-2026-20127 in Cisco Catalyst SD-WAN. UAT-8616 has been exploiting it since 2023, now anyone can try. Two more SD-WAN flaws also active: CVE-2026-20122 and CVE-2026-20128. Patch window is effectively closed. https://t.co/gZOpZQntR2

    @CybrPulse

    7 Mar 2026

    80 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨Cisco Catalyst SD-WANの脆弱性、さらに2件の悪用が明らかに:CVE-2026-20128、CVE-2026-20122 ⚠️米CISA、Apple製品の古い脆弱性3件をKEVカタログに追加(CVE-2023-43000、CVE-2021-30952、CVE-2023-41974) 〜サイバーアラート3月6日

    @MachinaRecord

    6 Mar 2026

    189 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 3 Cisco SD-WAN CVEs actively exploited in 8 days. Here's the scorecard: CVE-2026-20127 — CVSS 10.0 — Auth bypass zero-day — Exploited since 2023 CVE-2026-20128 — CVSS 5.5 — DCA credential leak — Exploited (confirmed March 5) CVE-2026-20122 — CVSS 7.1 — File overw

    @FirstPassLab

    5 Mar 2026

    101 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full.CVE-2026-32746
  2. A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.CVE-2026-20128
  3. Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor VulnerabilityCVE-2026-20133
  4. A vulnerability in the API user authentication of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain access to an affected system as a user who has the netadmin role. The vulnerability is due to improper authentication for requests that are sent to the API. An attacker could exploit this vulnerability by sending a crafted request to the API of an affected system. A successful exploit could allow the attacker to execute commands with the privileges of the netadmin role. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability. CVE-2026-20129
  5. Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass VulnerabilityCVE-2026-20127

References

Sources include official advisories and independent security research.