{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sd-wan/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-20128"}],"_cs_exploited":false,"_cs_products":["Catalyst SD-WAN Manager"],"_cs_severities":["medium"],"_cs_tags":["cve-2026-20128","credential-access","sd-wan","cisco"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Catalyst SD-WAN Manager is affected by a vulnerability (CVE-2026-20128) that allows for the disclosure of stored passwords. An authenticated, local attacker with low privileges can exploit this vulnerability by accessing a credential file on the filesystem. Successful exploitation grants the attacker DCA user privileges, potentially leading to unauthorized access and control over the SD-WAN environment. CISA has issued Emergency Directive 26-03 and associated guidance to mitigate risks associated with Cisco SD-WAN devices. This vulnerability highlights the importance of proper credential management and access controls in network management systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains low-privileged access to the Cisco Catalyst SD-WAN Manager system through legitimate credentials or other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates the filesystem to locate the DCA user\u0026rsquo;s credential file.\u003c/li\u003e\n\u003cli\u003eThe attacker reads the credential file, which contains the DCA user\u0026rsquo;s password in a recoverable format.\u003c/li\u003e\n\u003cli\u003eThe attacker decodes or decrypts the password using readily available tools or techniques.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the recovered DCA user credentials to authenticate to the SD-WAN Manager with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the DCA user privileges to perform unauthorized configuration changes or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially pivots to other systems or network segments accessible through the SD-WAN infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain complete control over the Cisco Catalyst SD-WAN Manager. This could lead to significant disruption of network services, data breaches, and potential compromise of connected systems. The impact is magnified by the widespread use of SD-WAN in enterprise environments, making this a critical vulnerability for organizations utilizing Cisco Catalyst SD-WAN Manager.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview and apply the mitigations outlined in CISA\u0026rsquo;s Emergency Directive 26-03 and associated guidance for Cisco SD-WAN devices, as referenced in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor file access events on the Cisco Catalyst SD-WAN Manager system for suspicious access patterns to credential files using the \u003ccode\u003eDetect Suspicious SD-WAN Credential File Access\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and password policies on the Cisco Catalyst SD-WAN Manager to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eApply the security updates provided by Cisco to patch CVE-2026-20128 as they become available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T12:00:00Z","date_published":"2026-04-21T12:00:00Z","id":"/briefs/2026-04-cisco-sdwan-password-disclosure/","summary":"Cisco Catalyst SD-WAN Manager stores passwords in a recoverable format, allowing an authenticated local attacker to gain DCA user privileges by accessing a credential file.","title":"Cisco Catalyst SD-WAN Manager Password Disclosure Vulnerability (CVE-2026-20128)","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-password-disclosure/"},{"_cs_actors":[],"_cs_cves":[{"cvss":5.4,"id":"CVE-2026-20122"}],"_cs_exploited":true,"_cs_products":["Catalyst SD-WAN Manger"],"_cs_severities":["critical"],"_cs_tags":["cve-2026-20122","privilege-escalation","sd-wan"],"_cs_type":"threat","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Catalyst SD-WAN Manager is vulnerable to an incorrect use of privileged APIs. This flaw stems from improper file handling within the API interface. An attacker can exploit this vulnerability by uploading a malicious file to the local file system. Successful exploitation allows an attacker to overwrite arbitrary files on the affected system and ultimately gain vmanage user privileges. CISA has released Emergency Directive 26-03 and associated hunt/hardening guidance in response to active exploitation of Cisco SD-WAN vulnerabilities. This issue poses a significant risk to organizations utilizing affected Cisco SD-WAN deployments, as it allows for privilege escalation and potential compromise of the entire SD-WAN infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Cisco Catalyst SD-WAN Manager instance with an exposed API interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious file designed to exploit the improper file handling vulnerability (CVE-2026-20122).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious file to the SD-WAN Manager via the vulnerable API endpoint.\u003c/li\u003e\n\u003cli\u003eDue to improper file handling, the uploaded file is written to an arbitrary location on the file system.\u003c/li\u003e\n\u003cli\u003eThe malicious file overwrites a critical system file, such as a configuration file or a binary executable used by the vmanage user.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a system event or restart a service that uses the overwritten file.\u003c/li\u003e\n\u003cli\u003eThe compromised service or application now executes with the attacker\u0026rsquo;s injected code, granting the attacker vmanage user privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the vmanage user privileges to further compromise the system or the SD-WAN infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-20122) allows an attacker to overwrite arbitrary files and gain vmanage user privileges on the Cisco Catalyst SD-WAN Manager. This can lead to a complete compromise of the SD-WAN management plane, allowing the attacker to reconfigure the network, intercept traffic, or deploy further malicious payloads to connected devices. Given the critical role of SD-WAN in modern network infrastructure, a successful attack can have widespread impact, affecting business operations and data security. CISA\u0026rsquo;s involvement via Emergency Directive 26-03 indicates that this vulnerability is likely under active exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply the mitigations recommended by CISA in Emergency Directive 26-03 and the associated hunt/hardening guidance to reduce exposure to this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on critical system files on the Cisco Catalyst SD-WAN Manager to detect unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and harden the API interface of the SD-WAN Manager to prevent unauthorized file uploads.\u003c/li\u003e\n\u003cli\u003eFollow applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T12:00:00Z","date_published":"2026-04-21T12:00:00Z","id":"/briefs/2026-04-cisco-sdwan-privilege-escalation/","summary":"Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface, allowing an attacker to upload a malicious file and overwrite arbitrary files to gain vmanage user privileges.","title":"Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-privilege-escalation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cisco","sd-wan","rce","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-20127, affects Cisco Catalyst SD-WAN Controllers. The vulnerability stems from an improper authentication mechanism, which can be exploited by unauthenticated remote attackers. Successful exploitation allows bypassing authentication and gaining administrative privileges. This access could allow the attacker to log in as a high-privileged, non-root user, gaining access to NETCONF, and enabling the manipulation of the SD-WAN fabric\u0026rsquo;s network configuration. The…\u003c/p\u003e\n","date_modified":"2026-02-27T10:00:00Z","date_published":"2026-02-27T10:00:00Z","id":"/briefs/2026-02-cisco-sdwan-rce/","summary":"A critical remote code execution vulnerability exists in Cisco Catalyst SD-WAN Controllers (CVE-2026-20127) due to improper authentication, allowing unauthenticated remote attackers to bypass authentication and gain administrative privileges, potentially leading to network configuration manipulation.","title":"Critical RCE Vulnerability in Cisco Catalyst SD-WAN Controller","url":"https://feed.craftedsignal.io/briefs/2026-02-cisco-sdwan-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-20133"}],"_cs_exploited":false,"_cs_products":["Catalyst SD-WAN Manager"],"_cs_severities":["high"],"_cs_tags":["cve","vulnerability","cisco","sd-wan"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Catalyst SD-WAN Manager is susceptible to an information disclosure vulnerability, identified as CVE-2026-20133. The vulnerability allows unauthorized remote attackers to potentially gain access to sensitive information residing on affected systems. While the exact nature of the disclosed information isn\u0026rsquo;t specified in the advisory, it could encompass configuration details, user credentials, or other sensitive data critical for the secure operation of the SD-WAN environment. CISA has issued Emergency Directive 26-03 and associated guidance, highlighting the severity and urging immediate action. The directive impacts organizations utilizing Cisco SD-WAN devices and emphasizes the need for thorough risk assessment and implementation of provided mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Discovery:\u003c/strong\u003e An attacker identifies a publicly accessible endpoint or API within the Cisco Catalyst SD-WAN Manager that is vulnerable to CVE-2026-20133.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Request:\u003c/strong\u003e The attacker crafts a malicious HTTP request targeting the vulnerable endpoint, exploiting the lack of proper authorization checks or input validation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Exposure:\u003c/strong\u003e The SD-WAN Manager processes the request and, due to the vulnerability, inadvertently discloses sensitive information. This could be in the form of a file, database content, or API response.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Extraction:\u003c/strong\u003e The attacker captures the exposed data from the response, potentially including configuration files, usernames, passwords, or other sensitive credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e The attacker uses the extracted credentials to gain unauthorized access to other systems within the SD-WAN environment or the broader network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Leveraging compromised credentials, the attacker moves laterally across the network, targeting critical systems and data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration / System Compromise:\u003c/strong\u003e The attacker exfiltrates sensitive data or achieves complete system compromise, depending on the attacker\u0026rsquo;s objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20133 can lead to significant consequences, including the compromise of sensitive data, unauthorized access to critical systems, and potential disruption of network operations. Given the central role of SD-WAN managers in controlling network traffic and security policies, a successful attack can have a wide-ranging impact. The number of potentially affected organizations is substantial due to the widespread adoption of Cisco SD-WAN solutions. The impact can include data breaches, financial loss, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately assess your exposure to CVE-2026-20133 by following CISA’s Emergency Directive 26-03 mitigation instructions.\u003c/li\u003e\n\u003cli\u003eApply the necessary patches or workarounds provided by Cisco to remediate the vulnerability as outlined in Cisco\u0026rsquo;s security advisory.\u003c/li\u003e\n\u003cli\u003eIf patches are unavailable or cannot be immediately applied, implement the hardening guidance provided in CISA’s “Hunt \u0026amp; Hardening Guidance for Cisco SD-WAN Devices”.\u003c/li\u003e\n\u003cli\u003eFor cloud-based deployments, adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect suspicious HTTP requests targeting potential vulnerable endpoints of the Cisco Catalyst SD-WAN Manager.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-19T12:00:00Z","date_published":"2024-01-19T12:00:00Z","id":"/briefs/2024-01-cisco-sdwan-info-disclosure/","summary":"Cisco Catalyst SD-WAN Manager contains an information disclosure vulnerability (CVE-2026-20133) that could allow remote attackers to view sensitive information on affected systems, requiring immediate patching or mitigation.","title":"Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability (CVE-2026-20133)","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-sdwan-info-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — Sd-Wan","version":"https://jsonfeed.org/version/1.1"}