Cisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerability
Act NowCVSS 6.5cisco-sa-sdwan-arbfw-c2rZvQJun 15, 2026
Cisco
IT in OT - Cisco networking products are commonly deployed in OT environments
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Cisco Catalyst SD-WAN Manager allows an authenticated remote attacker to create or overwrite arbitrary files on the system filesystem due to improper input validation in the web UI file upload process. By sending a crafted HTTP request to a vulnerable API endpoint, an attacker with valid write credentials could write files anywhere on the operating system, including files that could be leveraged to escalate privileges to root and gain complete control of the Manager and all downstream SD-WAN infrastructure it controls.
What this means
What could happen
An authenticated attacker could write or overwrite any file on the SD-WAN Manager system, potentially gaining full control of the device and the WAN infrastructure it manages. This could allow an attacker to disrupt network connectivity across all managed sites or alter network routing behavior.
Who's at risk
This vulnerability affects organizations operating Cisco Catalyst SD-WAN Manager (all versions), which is the central management and orchestration controller for SD-WAN deployments. Impact is critical for service providers and enterprises using SD-WAN to manage WAN traffic across multiple sites. An attacker who gains control of this manager could disrupt all connected branch sites and alter network routing.
How it could be exploited
An attacker with valid SD-WAN Manager credentials (engineering account or admin account) sends a crafted HTTP request to a file upload API endpoint, bypassing input validation to write a malicious file anywhere on the filesystem. The attacker could then use that file to escalate privileges to root and take full control of the Manager.
Prerequisites
- Valid SD-WAN Manager credentials with write access (engineering or administrative account)
- Network access to the SD-WAN Manager web UI (typically port 443)
- Knowledge of or access to file upload API endpoint
remotely exploitablerequires valid credentialsactively exploited (KEV)low complexity attackcould lead to full system compromise
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (1)
ProductAffected VersionsFix Status
Catalyst SD-WAN ManagerAll versionsFix available
Remediation & Mitigation
0/4
Do now
0/4HOTFIXUpdate Cisco Catalyst SD-WAN Manager to a patched version
WORKAROUNDRestrict network access to the SD-WAN Manager web UI to only authorized engineering and admin workstations; implement firewall rules to limit access by IP address
HARDENINGAudit SD-WAN Manager user accounts and disable or remove accounts with write access that are not actively in use
HARDENINGEnable multi-factor authentication (MFA) on all SD-WAN Manager user accounts to prevent unauthorized access even if credentials are compromised
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b16a74f0-2d32-4945-9166-9fdb72ed67a0Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.