Summary

A privilege escalation vulnerability exists in the CLI of Cisco Catalyst SD-WAN Controller (formerly vSmart), Cisco Catalyst SD-WAN Manager (formerly vManage), and Cisco Catalyst SD-WAN Validator (formerly vBond). The vulnerability allows an authenticated local attacker with netadmin privileges to execute arbitrary commands as the root user by uploading a specially crafted file to the affected system.

The issue stems from insufficient validation of user-supplied input. Successful exploitation can lead to command injection and full system compromise. Cisco has confirmed limited real-world exploitation, including cases where attackers were able to push unauthorized configuration changes to edge devices.

Attackers must already possess netadmin-level access, either through valid credentials or by exploiting related vulnerabilities (CVE-2026-20182 or CVE-2026-20127). No alternative exploitation methods are currently known.

Cisco has released fixed software versions and strongly recommends immediate upgrading. No workarounds are available.

Affected Systems and/or Applications

This vulnerability affects the following Cisco SD-WAN components:

• Cisco Catalyst SD-WAN Controller (vSmart)
• Cisco Catalyst SD-WAN Manager (vManage)
• Cisco Catalyst SD-WAN Validator (vBond)

All deployment models are impacted, including:

• On-Premises deployments
• Cisco SD-WAN CloudPro
• Cisco SD-WAN Cloud (Cisco Managed)
• Cisco SD-WAN for Government (FedRAMP environments)

All versions listed below are affected until a fixed release is applied:

• 20.9.9.1 and earlier
• 20.12.7.1 and earlier
• 20.15.4.4 and earlier
• 20.15.5.2 and earlier
• 20.18.3 (fixed in 20.18.3.1)
• 26.1.1.1 and earlier (fixed in 26.1.1.2)

Technical Details

The vulnerability is caused by insufficient validation of user-supplied input in CLI operations related to file uploads.

Attack Vector

• Requires authenticated access with netadmin privileges
• Attacker uploads a crafted file to the SD-WAN system
• The system improperly processes the file due to weak input validation
• This enables command injection and execution of commands as root

Exploitation Conditions

• Requires valid credentials or prior exploitation of:
  • CVE-2026-20182
  • CVE-2026-20127
• Limited exploitation has been observed in real environments
• Attack activity may include unauthorized configuration changes to edge devices

Impact

• Root-level command execution
• Full system compromise
• Potential manipulation of SD-WAN edge device configurations
• Exposure increases significantly if management interfaces are internet-facing

Indicators of Compromise (IoCs)

Administrators should review /var/log/scripts.log for suspicious entries involving file upload scripts such as:

• vconfd_script_upload_tenant_list.sh
• vconfd_script_upload_vsmart_serial_numbers.sh
• vconfd_script_upload_chassis_number_file.sh

Example log entries may include:

• Upload of unexpected CSV files (e.g., /home/admin/malicious.csv)
• Serial or chassis number uploads from unknown sources

Note: These entries may also appear during legitimate operations, so context validation is required.

Mitigation

Cisco does not provide any workaround for this vulnerability. The following mitigation and response actions are recommended:

1. Upgrade to Fixed Software

• Upgrade to Cisco-provided fixed releases as soon as possible
• Refer to Cisco's official fixed release table for applicable versions

2. Preserve Evidence Before Upgrade

Before upgrading:

• Run request admin-tech on all SD-WAN control components
• Collect and preserve logs for forensic analysis

3. Post-Upgrade Validation

After upgrading:

• Review logs for indicators of compromise
• Validate system integrity and configuration changes
• Investigate any suspicious edge device configuration updates

4. If Compromise is Suspected

• Contact Cisco TAC immediately
• Do not rely solely on patching
• Follow Cisco-provided remediation steps for confirmed compromise cases

5. Exposure Reduction

• Restrict access to SD-WAN management interfaces
• Avoid exposing controllers directly to the internet where possible
• Enforce strict authentication and privileged access controls

References

• Cybersecurity Dive
• Cisco Security Advisory: Cisco Catalyst SD-WAN Controller, Catalyst SD-WAN Manager, and Catalyst SD-WAN Validator Authenticated Privilege Escalation Vulnerability
• Cisco Talos