Cisco SD-WAN Manager XXE Flaw Grants Unauthenticated Access to Private Files

Cisco has detailed the curtain on a fresh set of vulnerabilities haunting its Catalyst SD-WAN Manager (formerly vManage). These flaws could grant remote attackers the keys to your sensitive data or allow low-level users to seize high-privileged control of the application.

The most alarming discovery is CVE-2026-20224, an XML External Entity (XXE) injection vulnerability that carries a “Critical” impact rating and a CVSS score of 8.6.

The security advisory explains that this flaw “could allow an unauthenticated, remote attacker to read arbitrary files that are stored in an affected system”.

The attacker doesn’t need a username or password to strike. By simply sending a “crafted request” that exploits the improper handling of XXE entries during XML parsing, an outsider can peer into your system’s private files.

Beyond the XXE threat, Cisco identified two “Medium” severity vulnerabilities (CVE-2026-20209 and CVE-2026-20210) that target the internal hierarchy of the platform.

• One flaw exists because “sensitive session information is recorded in audit logs”. An authenticated user with only read-only access could exploit this to “elevate their privileges from low to high and perform actions as a high-privileged user”.
• The second privilege escalation bug is due to a “failure to redact sensitive information within device configurations and templates”. Again, a simple read-only user could leverage this to “access or modify configuration settings… as a high-privileged user”.

Cisco has confirmed “there are no workarounds that address these vulnerabilities”. Patching is your only line of defense.

Administrators should verify their release and move to a fixed version immediately.

If you are running a version earlier than 20.9, or versions 20.11, 20.13, 20.14, or 20.16, your software has reached the “End of Software Maintenance”. Cisco strongly encourages these customers to migrate to a supported release to ensure they receive these vital security updates.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.