US Public Data LabU.S. public data, made readable
EN
日本語 English
Medium Known exploited (KEV) CVE-2026-20122

Improper Use of Privileged APIs in Cisco Catalyst SD-WAN Manager (CVE-2026-20122) — CISA Issues Emergency Directive ED 26-03

Cisco Catalyst SD-WAN Manger Added to KEV Apr 20, 2026 Federal remediation due 2026-04-23

A vulnerability stemming from improper file handling in the API interface has been reported in Cisco Catalyst SD-WAN Manager (formerly vManage). CISA issued Emergency Directive ED 26-03 with an extremely short remediation deadline.

Key facts

  • CVE IDCVE-2026-20122
  • CVSS base score5.4 MEDIUM
  • CVSS vectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
  • Affected (vendor / product)Cisco Catalyst SD-WAN Manger
  • CWECWE-648
  • ExploitationListed in CISA KEV (exploitation confirmed)
  • Remediation due2026-04-23 (U.S. federal civilian agencies, BOD 22-01)

Key points

  • Affected product is Cisco Catalyst SD-WAN Manager (formerly vManage), a control point that centrally manages networks across many sites.
  • The vulnerability is an incorrect use of privileged APIs; uploading a malicious file may lead to arbitrary file overwrite and acquisition of vmanage user privileges.
  • The official NVD CVSS score is 5.4 (Medium), yet CISA added it to KEV and issued Emergency Directive ED 26-03.
  • Added to KEV on April 20, 2026, with an extremely short remediation deadline of April 23, 2026.
  • CISA calls for assessment and mitigation per ED 26-03 and the "Hunt & Hardening Guidance for Cisco SD-WAN," BOD 22-01 compliance, and discontinuation of use if mitigation is not possible.

SD-WAN Manager acts as a control point that consolidates the configuration and status of many distributed site networks into a single management console. Because it is the management foundation for SD-WAN (a wide-area network controlled by software), if this layer is taken over, the impact can extend beyond individual devices to the organization's entire network — a weight common to this class of management products. CVE-2026-20122 is recorded as stemming from improper file handling in the API interface (the point where programs exchange data), through which an attacker may upload a malicious file to the local file system, overwrite arbitrary files, and obtain the privileges of the vmanage user.

The official NVD CVSS score (a numeric measure of a vulnerability's severity) is 5.4 (Medium). At the same time, CISA (the U.S. Cybersecurity and Infrastructure Security Agency) treats this as a vulnerability with confirmed exploitation and issued Emergency Directive ED 26-03. It was added to the KEV catalog on April 20, 2026, with a remediation deadline of April 23, 2026 — an extremely short window. CISA calls for exposure assessment and mitigation in line with ED 26-03 and the "Hunt & Hardening Guidance for Cisco SD-WAN," compliance with Binding Operational Directive BOD 22-01, and discontinuation of use where mitigation is not possible.

This case plainly illustrates the KEV philosophy: even a Medium score warrants top-priority action once exploitation is confirmed. Beyond the numeric severity, the presence of exploitation and the breadth of impact if the management foundation is compromised are reflected in the form of an emergency directive and a short deadline.

Why it matters

Because SD-WAN Manager is the management foundation that ties site networks together, a compromise could affect not just individual devices but the organization's entire network. Although the CVSS is Medium (5.4), CISA issued Emergency Directive ED 26-03 in light of confirmed exploitation and set an extremely short window from KEV addition (April 20, 2026) to the remediation deadline (April 23, 2026). It is a case that shows the importance of judging priority not by numeric severity alone, but together with exploitation status and breadth of impact.

FAQ

Why did CISA issue an emergency directive when the CVSS is Medium (5.4)?
CVSS indicates numeric severity, but the KEV catalog targets vulnerabilities with confirmed exploitation. Because exploitation is confirmed here and the potential reach is large if the management foundation is compromised, top-priority action is required in the form of Emergency Directive ED 26-03 and a short deadline, even though the score is Medium.
Why is the impact significant if SD-WAN Manager is taken over?
Because SD-WAN Manager is a control point that consolidates many site networks into a single console. The impact can extend beyond individual devices to the organization's entire network — a weight common to this class of management products.
What actions does CISA require?
It calls for exposure assessment and mitigation in line with Emergency Directive ED 26-03 and the "Hunt & Hardening Guidance for Cisco SD-WAN," compliance with Binding Operational Directive BOD 22-01, and discontinuation of use where mitigation is not possible.

Sources (primary)

This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.

#Cisco#SD-WAN#CISA KEV#Emergency Directive ED 26-03#vulnerability#network management#CVE-2026-20122

← Back to vulnerability alerts

Disclaimer: This site independently summarizes and classifies information based on official data sources. Always verify the latest and accurate information with the official sources. Content on finance, health, legal, and security is information, not advice. This site is not an official website of the U.S. government.