Skip to main content

Cisco Catalyst SD-WAN Manager CVE-2026-20209

| EUVDEUVD-2026-30327 MEDIUM
Logging of Excessive Data (CWE-779)
2026-05-14 cisco GHSA-f8xf-95r6-r95h
5.4
CVSS 3.1 · Vendor: cisco
Share

Severity by source

Vendor (cisco) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from Vendor (cisco) · only source for this CVE.

CVSS VectorVendor: cisco

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 17:32 vuln.today
CVE Published
May 14, 2026 - 16:08 nvd
MEDIUM 5.4

DescriptionCVE.org

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to elevate their privileges from low to high and perform actions as a high-privileged user.

This vulnerability exists because sensitive session information is recorded in audit logs. An attacker could exploit this vulnerability by elevating their read-only permissions in Cisco Catalyst SD-WAN Manager to those of a high-privileged user. A successful exploit could allow the attacker to perform actions as a high-privileged user.

AnalysisAI

Privilege escalation in Cisco Catalyst SD-WAN Manager allows authenticated users with read-only permissions to elevate privileges to high-privileged user level through exposure of sensitive session information in audit logs. An attacker with initial read-only access can extract high-privilege session credentials from audit logs and impersonate an administrator, bypassing intended access controls. CVSS score 5.4 (medium) reflects the requirement for initial authentication, though the ease of escalation (AC:L) and direct path to administrative capability represent significant risk in multi-tenant or shared SD-WAN deployments.

Technical ContextAI

Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) is a centralized management platform for SD-WAN infrastructure. The vulnerability stems from CWE-779 (Improper Logging of Sensitive Information), where sensitive session tokens or authentication data associated with high-privileged accounts are logged in audit trails accessible to lower-privileged users. SD-WAN Manager's audit logging mechanism, intended for compliance and troubleshooting, inadvertently preserves session identifiers or credentials that can be replayed or used to establish authenticated sessions as privileged users. This breaks the principle of least privilege by allowing the audit system itself to become an escalation vector.

RemediationAI

Cisco has released security advisories at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk and https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-mltvnps2-JxpWm7R; consult these advisories immediately for patched version numbers and deployment guidance. Primary mitigation is upgrading Cisco Catalyst SD-WAN Manager to the patched release. Interim compensating controls include: (1) Restrict audit log access to administrators only, removing read-only user visibility of session data - trade-off is reduced auditability for non-admin staff; (2) Disable or restrict the audit logging feature if not required for compliance, eliminating the exposure vector - verify regulatory and operational requirements before disabling; (3) Implement network segmentation to limit which users can access the Manager's web UI, reducing the pool of low-privileged attackers; (4) Monitor audit logs for patterns indicating privilege escalation attempts (e.g., low-privilege users establishing high-privilege sessions shortly after audit log access). These controls do not fix the root cause and should be temporary pending patching.

Share

CVE-2026-20209 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy