{"uuid": "b24f0b20-207c-4881-af91-eb1d15b224ba", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Cisco Catalyst SD-WAN Vulnerabilities", "description": "# Cisco Catalyst SD-WAN Vulnerabilities\n*   These vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability.\n    \n    Details about the vulnerabilities are as follows:\n    \n    **CVE-2026-20129: Cisco Catalyst SD-WAN Manager Authentication Bypass Vulnerability**\n    \n    A vulnerability in the API user authentication of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain access to an affected system as a user who has the _netadmin_ role.\n    \n    The vulnerability is due to improper authentication for requests that are sent to the API. An attacker could exploit this vulnerability by sending a crafted request to the API of an affected system. A successful exploit could allow the attacker to execute commands with the privileges of the _netadmin_ role.\n    \n    **Note:** Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.\n    \n    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n    \n    Bug ID(s): [CSCws33587](https://bst.cisco.com/bugsearch/bug/CSCws33587)  \n    CVE ID: CVE-2026-20129  \n    Security Impact Rating (SIR): Critical  \n    CVSS Base Score: 9.8  \n    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n    \n    **CVE-2026-20126: Cisco Catalyst SD-WAN Manager Privilege Escalation Vulnerability**\n    \n    A vulnerability in Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker with low privileges to gain _root_ privileges on the underlying operating system.\n    \n    This vulnerability is due to an insufficient user authentication mechanism in the REST API. An attacker could exploit this vulnerability by sending a request to the REST API of the affected system. A successful exploit could allow the attacker to gain _root_ privileges on the underlying operating system.\n    \n    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n    \n    Bug ID(s): [CSCws93470](https://bst.cisco.com/bugsearch/bug/CSCws93470)  \n    CVE ID: CVE-2026-20126  \n    Security Impact Rating (SIR): High  \n    CVSS Base Score: 7.8  \n    CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n    \n    **CVE-2026-20133: Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability**\n    \n    A vulnerability in Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to view sensitive information on an affected system.\n    \n    This vulnerability is due to insufficient file system access restrictions. An attacker could exploit this vulnerability by accessing the API of an affected system. A successful exploit could allow the attacker to read sensitive information on the underlying operating system.\n    \n    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n    \n    Bug ID(s): [CSCws33583](https://bst.cisco.com/bugsearch/bug/CSCws33583)  \n    CVE ID: CVE-2026-20133  \n    Security Impact Rating (SIR): High  \n    CVSS Base Score: 7.5  \n    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n    \n    **CVE-2026-20122: Cisco Catalyst SD-WAN Manager Arbitrary File Overwrite Vulnerability**\n    \n    A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid _read-only_ credentials with API access on the affected system.\n    \n    This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain _vmanage_ user privileges.\n    \n    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n    \n    Bug ID(s): [CSCws33584](https://bst.cisco.com/bugsearch/bug/CSCws33584), [CSCws33586](https://bst.cisco.com/bugsearch/bug/CSCws33586)  \n    CVE ID: CVE-2026-20122  \n    Security Impact Rating (SIR): High  \n    CVSS Base Score: 7.1  \n    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L\n    \n    **CVE-2026-20128: Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability**\n    \n    A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain DCA user privileges on an affected system. To exploit this vulnerability, the attacker must have valid _vmanage_ credentials on the affected system.\n    \n    This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by accessing the filesystem as a low-privileged user and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges.\n    \n    **Note:** Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.\n    \n    Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n    \n    Bug ID(s): [CSCws33585](https://bst.cisco.com/bugsearch/bug/CSCws33585)  \n    CVE ID: CVE-2026-20128  \n    Security Impact Rating (SIR): Medium  \n    CVSS Base Score: 5.5  \n    CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "creation_timestamp": "2026-02-25T16:34:22.909321+00:00", "timestamp": "2026-02-25T16:34:22.909321+00:00", "related_vulnerabilities": ["CVE-2026-20128", "CVE-2026-20129", "CVE-2026-20126", "CVE-2026-20133", "CVE-2026-20122"], "meta": [{"ref": ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v"]}], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}