Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from Vendor (cisco) · only source for this CVE.
CVSS VectorVendor: cisco
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to elevate their privileges from low to high and perform actions as a high-privileged user.
This vulnerability exists because sensitive session information is recorded in audit logs. An attacker could exploit this vulnerability by elevating their read-only permissions in Cisco Catalyst SD-WAN Manager to those of a high-privileged user. A successful exploit could allow the attacker to perform actions as a high-privileged user.
AnalysisAI
Privilege escalation in Cisco Catalyst SD-WAN Manager allows authenticated users with read-only permissions to elevate privileges to high-privileged user level through exposure of sensitive session information in audit logs. An attacker with initial read-only access can extract high-privilege session credentials from audit logs and impersonate an administrator, bypassing intended access controls. CVSS score 5.4 (medium) reflects the requirement for initial authentication, though the ease of escalation (AC:L) and direct path to administrative capability represent significant risk in multi-tenant or shared SD-WAN deployments.
Technical ContextAI
Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) is a centralized management platform for SD-WAN infrastructure. The vulnerability stems from CWE-779 (Improper Logging of Sensitive Information), where sensitive session tokens or authentication data associated with high-privileged accounts are logged in audit trails accessible to lower-privileged users. SD-WAN Manager's audit logging mechanism, intended for compliance and troubleshooting, inadvertently preserves session identifiers or credentials that can be replayed or used to establish authenticated sessions as privileged users. This breaks the principle of least privilege by allowing the audit system itself to become an escalation vector.
RemediationAI
Cisco has released security advisories at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk and https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-mltvnps2-JxpWm7R; consult these advisories immediately for patched version numbers and deployment guidance. Primary mitigation is upgrading Cisco Catalyst SD-WAN Manager to the patched release. Interim compensating controls include: (1) Restrict audit log access to administrators only, removing read-only user visibility of session data - trade-off is reduced auditability for non-admin staff; (2) Disable or restrict the audit logging feature if not required for compliance, eliminating the exposure vector - verify regulatory and operational requirements before disabling; (3) Implement network segmentation to limit which users can access the Manager's web UI, reducing the pool of low-privileged attackers; (4) Monitor audit logs for patterns indicating privilege escalation attempts (e.g., low-privilege users establishing high-privilege sessions shortly after audit log access). These controls do not fix the root cause and should be temporary pending patching.
Remote unauthenticated attackers can bypass peering authentication in Cisco Catalyst SD-WAN Controller (vSmart) and SD-W
Arbitrary file write via path traversal in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticat
Remote file disclosure in Cisco Catalyst SD-WAN Manager allows unauthenticated attackers to read arbitrary system files
Cisco Catalyst SD-WAN Manager's web interface contains a reflected cross-site scripting (XSS) vulnerability that require
Cisco Catalyst SD-WAN Manager web UI fails to properly redact sensitive information in device configurations and templat
Same weakness CWE-779 – Logging of Excessive Data
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30327
GHSA-f8xf-95r6-r95h