Cisco SD-WAN Vulnerabilities: PoC Exists for XSS and Filter Bypass

Cisco has issued two separate advisories addressing vulnerabilities in its SD-WAN software suite, warning users of potential exploitation risks involving stored cross-site scripting (XSS) and traffic filter bypass. These vulnerabilities—tracked as CVE-2025-20147 and CVE-2025-20221—pose moderate risks but could lead to unauthorized data injection and traffic manipulation if left unpatched.

CVE-2025-20147: Stored Cross-Site Scripting in Cisco Catalyst SD-WAN Manager

This vulnerability affects the web-based management interface of Cisco Catalyst SD-WAN Manager (formerly vManage). It allows an authenticated, remote attacker to inject malicious JavaScript into the interface, leading to stored cross-site scripting (XSS).

“This vulnerability is due to improper sanitization of user input to the web-based management interface,” Cisco explains.

Attackers can exploit this by submitting a specially crafted script through the interface. If successful, the script is stored and executed in the browser of any user who accesses the infected page, potentially leading to session hijacking, credential theft, or unauthorized actions.

Affected versions include releases 20.8 and earlier, up to 20.12, with 20.13 and later deemed not vulnerable. Cisco has confirmed the existence of proof-of-concept exploit code, but no malicious exploitation has been reported as of yet.

CVE-2025-20221: Packet Filtering Bypass in Cisco IOS XE SD-WAN Software

The second advisory concerns a flaw in the packet filtering mechanisms of Cisco IOS XE SD-WAN software. The vulnerability allows unauthenticated remote attackers to bypass Layer 3 and Layer 4 traffic filters, injecting crafted packets into the network.

“An attacker could exploit this vulnerability by sending a crafted packet to the affected device,” the advisory explains.

This issue affects:

• Universal Cisco IOS XE Software 17.2.1r and later (in Controller mode)
• Standalone SD-WAN releases from 16.9.1 to 16.12.4
• cEdge Routers with SNMP enabled on the tunnel 0 interface

Exploitation relies on improper traffic filtering logic and can be mitigated by disabling SNMP or applying a device access policy to block unsolicited SNMP traffic.

Cisco has also released software updates to address this vulnerability. Similar to the previous vulnerability, the Cisco PSIRT is aware of available proof-of-concept exploit code.

Cisco advises configuring extended access control lists (ACLs) and device access policies as immediate mitigations before upgrading to patched versions.

Remediation & Best Practices

Cisco has released fixed software versions for both vulnerabilities and urges users to update immediately. Administrators should also:

• Disable unnecessary SNMP access
• Sanitize all user inputs on SD-WAN interfaces
• Monitor for unusual packet flows or access attempts
• Implement ACLs to filter inbound/outbound traffic

Related Posts:

• VMware SD-WAN Vulnerabilities Pose Risk to Network Security, Patches Released
• CVE-2023-20252: Cisco Catalyst SD-WAN Manager Unauthorized Access Vulnerability
• Cisco SD-WAN vManage Unauthenticated REST API Access Vulnerability
• Cisco SD-WAN vManage Software Security Bypass Flaw
• Cisco releases patch to fix three high security bugs