CVE-2022-20775 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2022-09-30

Added to CISA KEV: 2026-02-25 1244 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs for suspicious CLI commands, check for unauthorized privilege escalation, verify system integrity and user accounts
Immediately update to fixed software releases as provided by Cisco - no workarounds are available
Monitor CLI access logs for suspicious command execution patterns
Review and audit local user accounts and access permissions
Implement principle of least privilege for local system access
HIGH priority patching due to confirmed active exploitation

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2022-20775 is a high-severity vulnerability in the command-line interface (CLI) of Cisco SD-WAN Software, characterized by improper access controls that allow for privilege escalation ^[2] ^[3].

Active Exploitation and Threat Actors

As of February 2026, CVE-2022-20775 has been identified as being under active exploitation in the wild ^[4]. It has been linked to targeted operations against federal networks and other organizations worldwide ^[5] ^[4]. Cisco Talos has attributed this activity to UAT-8616, a highly sophisticated threat actor active since at least 2023 ^[1].

Attack Method and Requirements

Exploitation Type: The vulnerability is classified as a path traversal issue that allows an authenticated attacker to execute arbitrary commands with root privileges ^[1].
Requirements: It requires the attacker to be authenticated and have local access to the application CLI ^[2].
Chaining: Threat actors have been observed chaining this vulnerability with others (such as CVE-2026-20127) to bypass authentication, escalate privileges, and establish persistence on Catalyst SD-WAN systems ^[1].

Impact

Successful exploitation provides an attacker with elevated (root) privileges on the affected system ^[2] ^[1]. This level of access allows for full control over the compromised device, facilitating further malicious operations within the network.

Patch and Mitigation Status

Status: Cisco has released security advisories and patches to address these vulnerabilities. Organizations are strongly advised to apply the latest updates provided by Cisco to mitigate the risk of exploitation ^[3].
Availability: While specific version numbers vary by deployment, users should consult the official [Cisco Security Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sd-wan-priv-E6e8tEdF) for the most accurate information regarding affected versions and the corresponding fixed software releases.

Sources

Cisco Patches Catalyst SD-WAN Zero-Day Exploited by Highly ...
The attacks were attributed by Cisco Talos to UAT-8616, a “highly sophisticated cyber threat actor” that has been active since at least 2023. ... CVE-2022-20775, disclosed in September 2022, is a high-severity path traversal issue that allows an authenticated attacker to execute arbitrary commands w…
NVD - CVE-2022-20775
CVE-2022-20775 Detail Description A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to gain elevated privileges. This vulnerability is due to improper access controls on commands within the application CLI.
Cisco SD-WAN Software Privilege Escalation Vulnerabilities
Multiple vulnerabilities in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to gain elevated privileges. These vulnerabilities are due to improper access controls on commands within the application CLI. An attacker could exploit these vulnerabilities by running a malici…
Cisco SD WAN vulnerabilities (CVE-2026-20127, CVE-2022-20775 ...
CVE-2022-20775 could enable an authenticated local attacker to escalate their privileges. The activity has been linked to ongoing malicious ... Get started. Cisco SD-WAN vulnerabilities (CVE-2026-20127, CVE-2022-20775) in active exploitation. Author - Sophos Logo.CVE-2026-20127 can lead to a remote…
Malicious cyber actors are targeting and compromising Cisco SD ...
Malicious cyber actors are targeting and compromising Cisco SD-WAN systems deployed by organizations worldwide. These actors have exploited ...

🟢 CVE-2022-20775