🔴 CVE-2026-20122

CVE-2026-20122 is a critical arbitrary file overwrite vulnerability in Cisco Catalyst SD-WAN Manager's API that allows authenticated attackers to gain elevated privileges. This vulnerability is actively exploited in the wild and listed in CISA's KEV catalog.

← Back to Overview
HIGH_RISK
Risk Level
5.4
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-02-25

Added to CISA KEV: 2026-04-20 54 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-04-20)

Regarding CVE-2026-20122, here's what is known about its exploitation:

  • CISA Known Exploited Vulnerabilities (KEV) Status: CVE-2026-20122 has been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog [2]. This addition is based on evidence of active exploitation [2]. The KEV Catalog serves as an authoritative source of vulnerabilities that have been exploited in the wild, and organizations are advised to use it for prioritizing vulnerability management [4][5].
  • Evidence of Active Exploitation: The inclusion of CVE-2026-20122 in the KEV Catalog directly indicates that there is evidence of active exploitation in the wild [2].
  • Attack Vectors and Exploitation Methods: The vulnerability is described as stemming from improper file handling on the API interface of an affected system [1]. An attacker can exploit this by leveraging this improper file handling [1].
  • Internet-Facing Applications or Services: While the vulnerability is related to an API interface, the provided information does not explicitly state whether it affects internet-facing applications or services. However, API interfaces are often exposed externally, suggesting a potential for internet-facing impact.
  • Targeted Attacks: The provided information does not specify whether CVE-2026-20122 has been used in targeted attacks.
  • Technical Details about Internet Exploitability: The technical detail available is that the vulnerability is due to improper file handling on the API interface [1]. Further specific technical details regarding internet exploitability are not detailed in the provided sources.
It is important to note that CVE-2026-20122 is distinct from CVE-2023-20122, which involves vulnerabilities in the restricted shell of Cisco Evolved Programmable Network Manager (EPNM), Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure [3].

Sources

  1. CVE-2026-20122 - National Vulnerability Database

    This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by ...

  2. CISA Adds One Known Exploited Vulnerability to Catalog | CISA

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  3. NVD - CVE-2023-20122

    CVE-2023-20122 Detail. Modified.Description. Multiple vulnerabilities in the restricted shell of Cisco Evolved Programmable Network Manager (EPNM), Cisco Identity Services Engine (ISE), and Cisco Prime Infrastructure could allow an authenticated, local attacker to escape the restricted shell and gai…

  4. Known Exploited Vulnerabilities Catalog - CISA

    For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catal…

  5. The Kev Catalog

    A list of Known Exploited Vulnerabilities.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed