Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from Vendor (cisco) · only source for this CVE.
CVSS VectorVendor: cisco
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to read arbitrary files that are stored in an affected system. The attacker does not need to have valid user credentials.
This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to read arbitrary files that are stored in the affected system.
AnalysisAI
Remote file disclosure in Cisco Catalyst SD-WAN Manager allows unauthenticated attackers to read arbitrary system files via XML External Entity (XXE) injection in the web UI. The vulnerability affects the management interface with network-accessible attack vector, low complexity, and no required privileges (CVSS 8.6). Attackers can extract sensitive configuration files, credentials, and operational data from the SD-WAN management platform. EPSS data not provided; exploitation status unknown but the unauthenticated remote vector and publicly disclosed Cisco advisory elevate real-world risk for internet-exposed instances.
Technical ContextAI
This is an XML External Entity (XXE) injection vulnerability (CWE-20: Improper Input Validation) in Cisco Catalyst SD-WAN Manager's web UI XML parser. XXE attacks exploit misconfigured XML parsers that process external entity references, allowing attackers to include content from local files or network resources. The SD-WAN Manager web interface accepts XML input without properly sanitizing or disabling external entity processing. When a crafted XML document containing malicious entity declarations is submitted, the parser resolves these references and returns file contents in the response. The Catalyst SD-WAN Manager (formerly vManage) serves as the centralized management and orchestration platform for Cisco's SD-WAN fabric, making it a high-value target containing network topology data, device credentials, VPN configurations, and policy definitions.
RemediationAI
Upgrade Cisco Catalyst SD-WAN Manager to the fixed software version specified in Cisco Security Advisory cisco-sa-sdwan-mltvnps2-JxpWm7R available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-mltvnps2-JxpWm7R. Cisco typically provides fixed releases across multiple maintenance tracks; select the appropriate version for your deployment. If immediate patching is not feasible, implement network-level access controls to restrict SD-WAN Manager web UI access to trusted management networks only - block all internet-facing access and require VPN or jump host authentication. Configure web application firewall (WAF) rules to inspect and block XML requests containing DOCTYPE declarations, ENTITY definitions, or SYSTEM/PUBLIC keywords, though this may interfere with legitimate XML functionality. Monitor access logs for unusual XML POST requests to the web UI, particularly from unexpected source IPs. Note that access restrictions reduce attack surface but do not eliminate the vulnerability for authenticated internal users or attackers with network access.
Remote unauthenticated attackers can bypass peering authentication in Cisco Catalyst SD-WAN Controller (vSmart) and SD-W
Arbitrary file write via path traversal in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticat
Cisco Catalyst SD-WAN Manager's web interface contains a reflected cross-site scripting (XSS) vulnerability that require
Cisco Catalyst SD-WAN Manager web UI fails to properly redact sensitive information in device configurations and templat
Privilege escalation in Cisco Catalyst SD-WAN Manager allows authenticated users with read-only permissions to elevate p
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30325
GHSA-558q-cqp2-mrc3