—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

Multiple Vulnerabilities in Cisco Catalyst SD-WAN Products

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

    Cisco Catalyst SD-WAN Manager
    Cisco Catalyst SD-WAN Controller

Overview

Multiple vulnerabilities have been reported in the Cisco Catalyst SD-WAN Products that could allow a remote attacker to gain escalated privileges, bypass authentication, and access arbitrary files on the targeted system.

Target Audience:
All IT administrators and individuals responsible for maintaining and updating software.

Risk Assessment:
Critical risk of authentication bypass, privilege escalation, unauthorized configuration modification, and sensitive information disclosure.

Impact Assessment:
Potential for unauthorized elevated access, modification of network configurations, sensitive data exposure, and system disruption.

Description

1. Privilege Escalation Vulnerabilities ( CVE-2026-20209   CVE-2026-20210   )

These vulnerabilities exist due to sensitive session information being recorded in audit logs within the web UI of Cisco Catalyst SD-WAN Manager and improper redaction of sensitive information within device configurations and templates. An attacker can exploit these vulnerabilities by using read-only access privileges to obtain sensitive session information and elevate their permissions to those of a high-privileged user.
Successful exploitation of these vulnerabilities could allow an authenticated remote attacker with read-only permissions to perform actions as a high-privileged user, modify configurations, and gain unauthorized access to the targeted system.

2. XML External Entity Injection Vulnerability ( CVE-2026-20224   )

This vulnerability exists due to improper handling of XML External Entity (XXE) entries while parsing an XML file within the web UI of Cisco Catalyst SD-WAN Manager. An attacker can exploit this vulnerability by sending specially crafted requests to the vulnerable system.
Successful exploitation of this vulnerability could allow an attacker to read arbitrary files stored on the targeted system.

3. Authentication Bypass Vulnerability ( CVE-2026-20182   )

This vulnerability exists in Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager due to improper functioning of the peering authentication mechanism during control connection handshaking. An attacker can exploit this vulnerability by sending specially crafted requests to the vulnerable system.
Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to bypass authentication, gain elevated privileges and modify sensitive network configuration on the targeted system.

Note: This vulnerability (CVE-2026-20182) is being actively exploited in the wild. Users are strongly advised to apply the latest patches immediately.

Solution

Apply appropriate security as mentioned in CISCO advisory:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-mltvnps2-JxpWm7R

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW

Vendor Information

Cisco
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-mltvnps2-JxpWm7R
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW

References

 
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-mltvnps2-JxpWm7R
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW

CVE Name
CVE-2026-20209
CVE-2026-20210
CVE-2026-20224
CVE-2026-20182

– — 

Thanks and Regards,
CERT-In

Incident Response Help Desk
e-mail: incident@cert-in.org.in
Phone: +91-11-22902657
Toll Free Number: 1800-11-4949
Toll Free Fax : 1800-11-6969
Web: http://www.cert-in.org.in
PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4
PGP Key information:
https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQJPBAEBCAA5FiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoJaLEbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMiwxAAoJEN4woHEnXMrPIm4P/3FqF+Q2V1vB66G82kVS
OkNt0r1F5ENaXm842LZvIxYMRuuTDKGrO5W5yvfh9AuKmUa6gvkYdRawwXvb9dZq
H5tY7Tlwuet/snBm4tLklFSrHMoFK0B8tA30sC2rqews4lb9zS5S/baLKeuV+58Y
tF4z7xAF7dduzrAC80pCxoYVxK9396ez12eQiWHg4l9Zao2JylqnxnM9Gnz5d7TR
qM+n1LFKZSBXaEM5zf3hFC4XAkmXT+KhyGkhsPfw6hz8VkRodp5Q3hTaN/MzNwkm
nfkOpkslfD4ZE0dQK1CWdfrPS5KrFgMahX/rwh7CNSxd1yKdnaxpE6PqmmX4p2dq
Hb+6oMtd3BWbzoZAgf8ulCSTaUlbgtGwMnMus+U/sDk3zlV56DcwKsRJ0clRGQOD
ykg1Og5QmhcZPYWWPnm3LPy3eMFJfdfj69ihav3Tio8bbAhYZ9R3Tr1D0w6NGQif
duCE1LNJp6L73X4b0Jbn9CqPC+XKUGiPKRI3N+BhxUBL2JH2R8569cnsVBHJvYfc
ys+E0c1I5Y4Foyz2hgvJrUF0+cx/uF16HOjAJKnnO7a2GudS6/GxzHKtHHSli0L5
g5yQ4RN5KDFl2Brkye4RBf2SciHBS4jXFgVU3BLl0/YLJENgRNTjgzNouZqg68qm
0GyRLsM/IwOPaRY1VHYUWmC3
=Plvv
—–END PGP SIGNATURE—–