Cisco Catalyst SD-WAN Manager Critical Vulnerabilities Advisory (XXE/Privilege Escalation)

Cisco Catalyst SD-WAN Manager Vulnerability Summary Vulnerability Overview Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) contains multiple security vulnerabilities that allow remote attackers to obtain sensitive information, escalate privileges, or gain unauthorized access to the application. Severity: Critical (CVSS 8.6) Involved CVE IDs: CVE-2026-20224: XML External Entity (XXE) Injection vulnerability CVE-2026-20209: Privilege Escalation vulnerability (via leakage of sensitive session information in audit logs) CVE-2026-20210: Privilege Escalation vulnerability (sensitive information in configurations and templates is not properly sanitized) Impact Scope Affected Products: Cisco Catalyst SD-WAN Manager (all device configurations). Affected Deployment Types: On-Prem Deployment Cisco SD-WAN Cloud-Pro Cisco SD-WAN Cloud (Cisco Managed) Cisco SD-WAN for Government (FedRAMP) Exploitation Conditions: XXE Vulnerability: No authentication required; attackers can read arbitrary files. Privilege Escalation Vulnerabilities: Authentication required; attackers must possess read-only permissions. Remediation Recommended Action: Customers are strongly advised to upgrade to the fixed software versions specified in this security advisory. Workaround: None. Fixed Software Versions: Version 20.9 and later: 20.9.9.1 Version 20.10 and later: 20.12.7.1 Version 20.11 and later: 20.12.7.1 Version 20.12 and later: 20.12.5.4, 20.12.6.2, 20.12.7.1 Version 20.13 and later: 20.15.5.2 Version 20.14 and later: 20.15.5.2 Version 20.15 and later: 20.15.4.4, 20.15.5.2 Version 20.16 and later: 20.18.2.2 Version 20.18 and later: 20.18.2.2 Version 20.1 and later: 20.1.1.1 Note:** For Cisco SD-WAN Cloud (Cisco Managed) Release 20.15.506, no user action is required. POC/Exploit Code No specific POC or exploit code is included in the page.

Goal Reached Thanks to every supporter — we hit 100%!

Cisco Catalyst SD-WAN Manager Critical Vulnerabilities Advisory (XXE/Privilege Escalation)