https://feed.craftedsignal.io/tags/sd-wan/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 21 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-password-disclosure/Tue, 21 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-password-disclosure/Cisco Catalyst SD-WAN Manager stores passwords in a recoverable format, allowing an authenticated local attacker to gain DCA user privileges by accessing a credential file.Cisco Catalyst SD-WAN Manager is affected by a vulnerability (CVE-2026-20128) that allows for the disclosure of stored passwords. An authenticated, local attacker with low privileges can exploit this vulnerability by accessing a credential file on the filesystem. Successful exploitation grants the attacker DCA user privileges, potentially leading to unauthorized access and control over the SD-WAN environment. CISA has issued Emergency Directive 26-03 and associated guidance to mitigate risks associated with Cisco SD-WAN devices. This vulnerability highlights the importance of proper credential management and access controls in network management systems.

Attack Chain

1. An attacker gains low-privileged access to the Cisco Catalyst SD-WAN Manager system through legitimate credentials or other vulnerabilities.
2. The attacker navigates the filesystem to locate the DCA user’s credential file.
3. The attacker reads the credential file, which contains the DCA user’s password in a recoverable format.
4. The attacker decodes or decrypts the password using readily available tools or techniques.
5. The attacker uses the recovered DCA user credentials to authenticate to the SD-WAN Manager with elevated privileges.
6. The attacker leverages the DCA user privileges to perform unauthorized configuration changes or access sensitive data.
7. The attacker potentially pivots to other systems or network segments accessible through the SD-WAN infrastructure.

Impact

Successful exploitation of this vulnerability allows an attacker to gain complete control over the Cisco Catalyst SD-WAN Manager. This could lead to significant disruption of network services, data breaches, and potential compromise of connected systems. The impact is magnified by the widespread use of SD-WAN in enterprise environments, making this a critical vulnerability for organizations utilizing Cisco Catalyst SD-WAN Manager.

Recommendation

• Review and apply the mitigations outlined in CISA’s Emergency Directive 26-03 and associated guidance for Cisco SD-WAN devices, as referenced in the overview.
• Monitor file access events on the Cisco Catalyst SD-WAN Manager system for suspicious access patterns to credential files using the Detect Suspicious SD-WAN Credential File Access Sigma rule.
• Implement stricter access controls and password policies on the Cisco Catalyst SD-WAN Manager to prevent unauthorized access.
• Apply the security updates provided by Cisco to patch CVE-2026-20128 as they become available.

]]>mediumadvisorycve-2026-20128credential-accesssd-wanciscohttps://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-privilege-escalation/Tue, 21 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-privilege-escalation/Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface, allowing an attacker to upload a malicious file and overwrite arbitrary files to gain vmanage user privileges.Cisco Catalyst SD-WAN Manager is vulnerable to an incorrect use of privileged APIs. This flaw stems from improper file handling within the API interface. An attacker can exploit this vulnerability by uploading a malicious file to the local file system. Successful exploitation allows an attacker to overwrite arbitrary files on the affected system and ultimately gain vmanage user privileges. CISA has released Emergency Directive 26-03 and associated hunt/hardening guidance in response to active exploitation of Cisco SD-WAN vulnerabilities. This issue poses a significant risk to organizations utilizing affected Cisco SD-WAN deployments, as it allows for privilege escalation and potential compromise of the entire SD-WAN infrastructure.

Attack Chain

1. The attacker identifies a vulnerable Cisco Catalyst SD-WAN Manager instance with an exposed API interface.
2. The attacker crafts a malicious file designed to exploit the improper file handling vulnerability (CVE-2026-20122).
3. The attacker uploads the malicious file to the SD-WAN Manager via the vulnerable API endpoint.
4. Due to improper file handling, the uploaded file is written to an arbitrary location on the file system.
5. The malicious file overwrites a critical system file, such as a configuration file or a binary executable used by the vmanage user.
6. The attacker triggers a system event or restart a service that uses the overwritten file.
7. The compromised service or application now executes with the attacker’s injected code, granting the attacker vmanage user privileges.
8. The attacker leverages the vmanage user privileges to further compromise the system or the SD-WAN infrastructure.

Impact

Successful exploitation of this vulnerability (CVE-2026-20122) allows an attacker to overwrite arbitrary files and gain vmanage user privileges on the Cisco Catalyst SD-WAN Manager. This can lead to a complete compromise of the SD-WAN management plane, allowing the attacker to reconfigure the network, intercept traffic, or deploy further malicious payloads to connected devices. Given the critical role of SD-WAN in modern network infrastructure, a successful attack can have widespread impact, affecting business operations and data security. CISA’s involvement via Emergency Directive 26-03 indicates that this vulnerability is likely under active exploitation.

Recommendation

• Immediately apply the mitigations recommended by CISA in Emergency Directive 26-03 and the associated hunt/hardening guidance to reduce exposure to this vulnerability.
• Implement file integrity monitoring on critical system files on the Cisco Catalyst SD-WAN Manager to detect unauthorized modifications.
• Deploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts.
• Review and harden the API interface of the SD-WAN Manager to prevent unauthorized file uploads.
• Follow applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

]]>criticalthreatcve-2026-20122privilege-escalationsd-wanhttps://feed.craftedsignal.io/briefs/2026-02-cisco-sdwan-rce/Fri, 27 Feb 2026 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-cisco-sdwan-rce/A critical remote code execution vulnerability exists in Cisco Catalyst SD-WAN Controllers (CVE-2026-20127) due to improper authentication, allowing unauthenticated remote attackers to bypass authentication and gain administrative privileges, potentially leading to network configuration manipulation.<p>A critical vulnerability, CVE-2026-20127, affects Cisco Catalyst SD-WAN Controllers. The vulnerability stems from an improper authentication mechanism, which can be exploited by unauthenticated remote attackers. Successful exploitation allows bypassing authentication and gaining administrative privileges. This access could allow the attacker to log in as a high-privileged, non-root user, gaining access to NETCONF, and enabling the manipulation of the SD-WAN fabric&rsquo;s network configuration. The…</p> criticaladvisoryciscosd-wanrcevulnerabilityhttps://feed.craftedsignal.io/briefs/2024-01-cisco-sdwan-info-disclosure/Fri, 19 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-cisco-sdwan-info-disclosure/Cisco Catalyst SD-WAN Manager contains an information disclosure vulnerability (CVE-2026-20133) that could allow remote attackers to view sensitive information on affected systems, requiring immediate patching or mitigation.Cisco Catalyst SD-WAN Manager is susceptible to an information disclosure vulnerability, identified as CVE-2026-20133. The vulnerability allows unauthorized remote attackers to potentially gain access to sensitive information residing on affected systems. While the exact nature of the disclosed information isn’t specified in the advisory, it could encompass configuration details, user credentials, or other sensitive data critical for the secure operation of the SD-WAN environment. CISA has issued Emergency Directive 26-03 and associated guidance, highlighting the severity and urging immediate action. The directive impacts organizations utilizing Cisco SD-WAN devices and emphasizes the need for thorough risk assessment and implementation of provided mitigation strategies.

Attack Chain

1. Vulnerability Discovery: An attacker identifies a publicly accessible endpoint or API within the Cisco Catalyst SD-WAN Manager that is vulnerable to CVE-2026-20133.
2. Unauthorized Request: The attacker crafts a malicious HTTP request targeting the vulnerable endpoint, exploiting the lack of proper authorization checks or input validation.
3. Information Exposure: The SD-WAN Manager processes the request and, due to the vulnerability, inadvertently discloses sensitive information. This could be in the form of a file, database content, or API response.
4. Data Extraction: The attacker captures the exposed data from the response, potentially including configuration files, usernames, passwords, or other sensitive credentials.
5. Credential Compromise: The attacker uses the extracted credentials to gain unauthorized access to other systems within the SD-WAN environment or the broader network.
6. Lateral Movement: Leveraging compromised credentials, the attacker moves laterally across the network, targeting critical systems and data.
7. Data Exfiltration / System Compromise: The attacker exfiltrates sensitive data or achieves complete system compromise, depending on the attacker’s objectives.

Impact

Successful exploitation of CVE-2026-20133 can lead to significant consequences, including the compromise of sensitive data, unauthorized access to critical systems, and potential disruption of network operations. Given the central role of SD-WAN managers in controlling network traffic and security policies, a successful attack can have a wide-ranging impact. The number of potentially affected organizations is substantial due to the widespread adoption of Cisco SD-WAN solutions. The impact can include data breaches, financial loss, reputational damage, and regulatory penalties.

Recommendation

• Immediately assess your exposure to CVE-2026-20133 by following CISA’s Emergency Directive 26-03 mitigation instructions.
• Apply the necessary patches or workarounds provided by Cisco to remediate the vulnerability as outlined in Cisco’s security advisory.
• If patches are unavailable or cannot be immediately applied, implement the hardening guidance provided in CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices”.
• For cloud-based deployments, adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
• Deploy the following Sigma rule to detect suspicious HTTP requests targeting potential vulnerable endpoints of the Cisco Catalyst SD-WAN Manager.

]]>highadvisorycvevulnerabilityciscosd-wan