CISA has added CVE‑2026‑20122 to its Known Exploited Vulnerabilities catalogue. The entry concerns Cisco’s Catalyst SD‑WAN Manager and is titled “Cisco Catalyst SD‑WAN Manager Incorrect Use of Privileged APIs Vulnerability”. The flaw stems from improper file handling on the API interface, allowing an attacker to upload a malicious file that can overwrite arbitrary files and gain vmanage user privileges.
The vulnerability is a privilege‑escalation issue caused by incorrect use of privileged APIs. An attacker with local access to the system can exploit the API to place a malicious file, which when processed overwrites existing files and elevates the attacker to vmanage privileges. The CVSS score is 5.4, rated MEDIUM, and a patch is available from Cisco (see the advisory link).
Active exploitation has been confirmed, which is why the CVE appears in the KEV catalogue; there is no publicly known ransomware campaign linked to this flaw at present. CISA has set a remediation deadline of 26 April 2026 for federal civilian executive branch (FCEB) agencies to apply the mitigations.
CISA’s required action is to adhere to its guidelines to assess exposure and mitigate risks associated with Cisco SD‑WAN devices as outlined in Emergency Directive 26‑03 and the “Hunt & Hardening Guidance for Cisco SD‑WAN Devices”. Organizations should follow the applicable BOD 22‑01 guidance for cloud services or discontinue use of the product if mitigations cannot be applied. While FCEB agencies must comply by the deadline, all organisations are urged to review their Cisco SD‑WAN Manager deployments for exposure.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-20122 and the CISA KEV catalogue at https://www.cisa.gov/known-exploited-vulnerabilities-catalog.