Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-20122 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-20122 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-20122 is a privilege escalation vulnerability in Cisco Catalyst SD-WAN Manager, stemming from incorrect use of privileged APIs and improper file handling on the system's API interface.

Technical Detail

The flaw exists in how Cisco Catalyst SD-WAN Manager processes file uploads through its API interface, where insufficient validation allows an attacker to upload a malicious file to the local file system. By exploiting this weakness, an attacker can overwrite arbitrary files on the affected system. Successful exploitation results in privilege escalation to vmanage user level, which carries significant administrative access over SD-WAN infrastructure.

Exploitation Status

CISA has confirmed active exploitation in the wild, having added this vulnerability to the Known Exploited Vulnerabilities catalog on April 20, 2026. The exploit is rated as operational in maturity, meaning functional exploit code capable of reliable, real-world use exists and has been observed being leveraged against targets. This is not a theoretical or proof-of-concept-only risk.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Given the nature of the affected product, SD-WAN management infrastructure, this class of vulnerability is historically of interest to state-sponsored actors and ransomware operators targeting network backbone systems, but no named group has been formally attributed to exploitation of this CVE.

What To Do

Per CISA's Known Exploited Vulnerabilities catalog, federal agencies operating under BOD 22-01 are required to apply vendor-supplied patches or implement mitigations by the deadline associated with the April 20, 2026 listing. All organizations running Cisco Catalyst SD-WAN Manager should treat this as a high-priority patch action regardless of the CVSS score, which does not reflect the confirmed in-the-wild exploitation. Administrators should review Cisco's security advisory for fixed software versions, restrict API interface exposure to trusted networks only, and audit vmanage user activity logs for anomalous file operations or unexpected privilege changes as potential indicators of compromise.