CVE-2026-20122: Cisco Catalyst SD-WAN Manager Arbitrary File Overwrite
This report provides a technical dissection of CVE-2026-20122, an arbitrary file overwrite vulnerability identified in Cisco Catalyst SD-WAN Manager.
Vulnerability Overview
Section titled “Vulnerability Overview”CVE-2026-20122 is a critical security flaw residing within the API interface of Cisco Catalyst SD-WAN Manager. It allows an authenticated, remote attacker with read-only credentials to overwrite arbitrary files on the local filesystem. This is achieved through improper handling of file upload requests, specifically within the /dataservice/smartLicensing/uploadAck endpoint.
Root Cause Analysis
Section titled “Root Cause Analysis”The vulnerability stems from insufficient input validation and path sanitization within the API’s smart licensing module. When an authenticated user submits a request to the uploadAck endpoint, the application incorrectly handles user-supplied file paths, failing to prevent path traversal sequences (e.g., ../../../). This flaw permits an attacker to escape the intended directory and target sensitive system paths, including deployment directories for the application server.
Exploitation Path
Section titled “Exploitation Path”An attacker can exploit this vulnerability by crafting a malicious license update request. By manipulating the filename to include path traversal sequences, the attacker directs the application to overwrite critical files.
- Authenticated Access: Attacker leverages valid read-only credentials to access the API.
- Crafting Payload: A malicious file is prepared and named using path traversal sequences targeting a deployment path, such as
/var/lib/wildfly/standalone/deployments/[malicious_file].war. - Triggering Overwrite: The malicious file is uploaded via a POST request to
/dataservice/smartLicensing/uploadAck. - Execution: Once deployed, the attacker interacts with the newly created endpoint (e.g.,
/cmd.gz/cmd.jsp) to execute arbitrary code with the privileges of the vmanage service.
Forensic Analysis
Section titled “Forensic Analysis”During an investigation, the following artifacts provide clear indicators of compromise:
- Log files:
/var/log/nms/containers/service-proxy/serviceproxy-access.logrecords unauthorized POST requests to/dataservice/smartLicensing/uploadAck. - Detailed application logs:
/var/log/nms/vmanage-server.logmay contain explicit errors related to path traversal attempts, such asFailed to download the file.... - Webshell presence: Access to unexpected endpoints like
/cmd.gz/cmd.jspstrongly indicates successful exploitation and webshell deployment.
Detection Logic
Section titled “Detection Logic”To detect potential exploitation, monitor web access logs for the identified suspicious patterns.
title: Potential Cisco SD-WAN Arbitrary File Overwritelogsource: category: web product: cisco_sdwandetection: selection: uri|contains: '/dataservice/smartLicensing/uploadAck' method: 'POST' condition: selectionlevel: highCiscoSDWANLogs| where uri_path contains "/dataservice/smartLicensing/uploadAck"| where method == "POST"| project time, src_ip, uri_path, status, user_agentCisco has released patches for this vulnerability. Organizations must upgrade to the recommended software versions to remediate this risk.