Is CVE-2026-20122 exploitable?

Yes — CVE-2026-20122 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning it is confirmed exploited in the wild.

Is CVE-2026-20122 a false positive?

No practitioners have marked CVE-2026-20122 a false positive so far (2 verdicts).

How do I remediate CVE-2026-20122?

Practitioners have shared remediation steps for CVE-2026-20122 — see the remediation notes on this page.

CVE-2026-20122

is CVE-2026-20122real, exploitable, or a false positive? Here's the community ground truth.

☆ Watch

Medium · CVSS 5.4EPSS 6.1%CISA KEVCWE-648

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system. This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.

References

NVD MITRE CVE.org CISA KEV

Published Feb 25, 2026

Embed this verdict

Markdown

[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2026-20122/badge.svg)](https://www.truepositive.app/cve/CVE-2026-20122)

HTML

<a href="https://www.truepositive.app/cve/CVE-2026-20122"><img src="https://www.truepositive.app/cve/CVE-2026-20122/badge.svg" alt="TruePositive verdict for CVE-2026-20122"></a>

Live badge — updates automatically as the community verdict changes.

Community ground truth

Community verdict

2 verdicts

Not a real issue

Includes TruePositive's curated baseline from public sources — community verdicts accrue on top.

Pick your verdict — we'll save it right after a quick sign-in.

Community real-world severity: High (High 2) — CVSS base score 5.4

Practitioners rate this higher than its CVSS — treat with extra caution.

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

0
Field note · Waleed AzizCurated
Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability — Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges. Listed in the CISA KEV catalog (added 2026-04-20) — confirmed exploited in the wild, not theoretical. FIRST EPSS puts the chance of exploitation in the next 30 days at ~6%. Treat it as real and prioritize remediation over triage.
0
Remediation · Priya NairCurated
Required action for Cisco Catalyst SD-WAN Manger: Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. CISA set a federal remediation due date of 2026-04-23. After patching, verify the vulnerable path is no longer reachable before closing the finding.