Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from Vendor (cisco) · only source for this CVE.
CVSS VectorVendor: cisco
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to modify configurations and perform unauthorized actions on an affected system.
This vulnerability exists because of a failure to redact sensitive information within device configurations and templates. An attacker could exploit this vulnerability by elevating their read-only permissions to those of a high-privileged user. A successful exploit could allow the attacker to access or modify configuration settings within Cisco Catalyst SD-WAN Manager as a high-privileged user.
AnalysisAI
Cisco Catalyst SD-WAN Manager web UI fails to properly redact sensitive information in device configurations and templates, allowing authenticated users with read-only permissions to extract and leverage privileged credentials to escalate their access and modify system configurations. The vulnerability affects all versions of the product and requires only network access and valid (albeit minimal) read-only credentials; successful exploitation grants attackers high-privileged administrative capability over the SD-WAN fabric.
Technical ContextAI
Cisco Catalyst SD-WAN Manager is a centralized management platform for SD-WAN deployments. The vulnerability stems from CWE-779 (Improper Log Redaction of Sensitive Information), where sensitive data such as API tokens, passwords, or pre-authentication credentials embedded in device configuration templates are not properly masked or removed before being presented to low-privileged users via the web UI. An attacker with read-only role access can extract these credentials from configuration or template endpoints, then use them to assume a higher-privileged context. The CPE cpe:2.3:a:cisco:cisco_catalyst_sd-wan_manager:*:*:*:*:*:*:*:* indicates the vulnerability affects all versions of the product line.
RemediationAI
Apply the vendor-released patch from Cisco as documented in the advisory https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-mltvnps2-JxpWm7R (note: exact patched versions not provided in available data - consult advisory for your release train). Pending patch deployment, implement compensating controls: (1) Restrict read-only role assignment to trusted internal personnel only; revoke read-only access for contractors, temporary staff, or third-party integrations not requiring configuration visibility-this eliminates the attacker prerequisite of valid credentials. (2) Enable and audit web UI activity logging for all configuration and template retrieval operations; escalate any read-only user accessing device templates or configurations containing sensitive fields. (3) Implement network-level access controls to limit SD-WAN Manager web UI access (typically HTTPS port 443) to a jumphost or management network, reducing the pool of authenticated users who can reach the vulnerable interface. (4) Rotate all API tokens, device credentials, and pre-shared secrets stored in device configurations and templates immediately after patching, as these are readable by current read-only users. The first control (credential restriction) is most effective but may impact legitimate use cases; audit and adjust RBAC before enforcement.
Remote unauthenticated attackers can bypass peering authentication in Cisco Catalyst SD-WAN Controller (vSmart) and SD-W
Arbitrary file write via path traversal in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticat
Remote file disclosure in Cisco Catalyst SD-WAN Manager allows unauthenticated attackers to read arbitrary system files
Cisco Catalyst SD-WAN Manager's web interface contains a reflected cross-site scripting (XSS) vulnerability that require
Privilege escalation in Cisco Catalyst SD-WAN Manager allows authenticated users with read-only permissions to elevate p
Same weakness CWE-779 – Logging of Excessive Data
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30326
GHSA-m7f8-vg5v-4m9m