CVE-2020-26071: Arbitrary File Access in Cisco Catalyst SD-WAN Manager
Platform
cisco
Component
cisco-catalyst-sd-wan-manager
Fixed in
20.1.13
19.2.2
18.4.5
18.4.6
20.1.2
20.1.2
19.3.1
19.2.3
18.3.7
18.3.8
19.2.1
18.3.9
19.0.1
19.1.1
18.4.303
18.4.304
17.2.11
18.3.7
19.0.2
18.2.1
18.4.4
18.4.2
17.2.9
18.3.4
18.4.1
18.3.2
17.2.7
17.2.10
18.3.5
17.2.6
18.3.2
18.3.6
18.4.1
18.3.4
17.2.8
17.2.5
18.3.1
19.2.4
18.4.502
18.4.6
20.1.13
18.3.7
19.2.2
19.3.1
20.1.2
19.2.3
18.3.9
18.4.4
18.4.5
18.4.303
19.1.1
18.4.304
19.2.1
17.2.11
18.3.8
18.3.2
18.3.5
18.2.1
18.3.6
18.4.2
17.2.6
17.2.8
17.2.9
17.2.10
18.4.1
17.2.7
18.3.1
17.2.5
18.3.4
19.2.4
19.2.2
20.1.13
18.4.5
19.3.1
18.3.9
19.2.3
20.1.2
18.3.7
18.4.4
18.4.303
18.4.6
18.4.304
19.1.1
17.2.11
19.0.2
18.3.8
18.3.2
19.2.1
17.2.10
18.3.5
18.2.1
18.4.2
17.2.6
18.4.1
18.3.6
18.3.4
17.2.8
17.2.7
17.2.9
18.3.1
17.2.5
19.2.4
18.4.304
18.3.8
19.3.1
18.2.1
20.1.13
17.2.11
18.3.4
18.3.7
19.0.1
17.2.7
18.4.1
18.3.2
18.4.303
19.2.3
18.3.6
17.2.10
19.1.1
20.1.12
18.4.6
17.2.6
17.2.9
18.3.9
18.3.1
18.4.4
18.4.5
19.2.2
17.2.5
18.3.5
19.0.2
20.1.2
17.2.8
18.4.2
19.2.1
19.2.4
CVE-2020-26071 describes an Arbitrary File Access vulnerability within the Command Line Interface (CLI) of Cisco Catalyst SD-WAN Software. Successful exploitation allows an authenticated, local attacker to create or overwrite arbitrary files on the affected device, potentially leading to a denial-of-service (DoS) condition. This vulnerability impacts versions of the software up to and including 20.1.12, with a fix available in version 20.1.13.
Impact and Attack Scenarios
This vulnerability poses a significant risk as it allows an authenticated, local attacker to directly manipulate the file system of the Cisco Catalyst SD-WAN Manager. An attacker could leverage this to overwrite critical system files, effectively halting the device's operation and causing a denial of service. The ability to create arbitrary files also opens the door to potential malware injection or the creation of backdoors, although the description focuses primarily on the DoS impact. The local authentication requirement limits the immediate scope, but a compromised user account could still be exploited to trigger this vulnerability.
Exploitation Context
CVE-2020-26071 was publicly disclosed on November 18, 2024. As of this date, there are no publicly known active exploitation campaigns or proof-of-concept (PoC) exploits. The vulnerability is not currently listed on the CISA KEV catalog. The vulnerability's reliance on local authentication and the need for crafted command arguments may limit its widespread exploitation, but diligent monitoring is still recommended.
Threat Intelligence
Exploit Status
EPSS
0.14% (33% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Local — attacker needs a local shell or interactive session on the system.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2020-26071 is to upgrade to Cisco Catalyst SD-WAN Software version 20.1.13 or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider implementing stricter access controls to the CLI, limiting user privileges and restricting access to sensitive commands. While a direct WAF rule is unlikely to be effective, monitoring CLI activity for suspicious file creation or modification attempts can provide an early warning system. Review and audit user accounts and their associated permissions to ensure least privilege access.
How to fix
Cisco ha publicado actualizaciones de software que abordan esta vulnerabilidad. Actualice el software Cisco SD-WAN a la última versión disponible proporcionada por el proveedor para mitigar el riesgo de explotación. No existen soluciones alternativas para esta vulnerabilidad.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2020-26071 — Arbitrary File Access in Cisco Catalyst SD-WAN Manager?
CVE-2020-26071 is a HIGH severity vulnerability allowing authenticated local attackers to create or overwrite files on Cisco Catalyst SD-WAN Manager, potentially causing a DoS. It affects versions ≤20.1.12.
Am I affected by CVE-2020-26071 in Cisco Catalyst SD-WAN Manager?
You are affected if you are running Cisco Catalyst SD-WAN Manager version 20.1.12 or earlier. Check your version and compare it to the affected versions listed in the advisory.
How do I fix CVE-2020-26071 in Cisco Catalyst SD-WAN Manager?
Upgrade to Cisco Catalyst SD-WAN Software version 20.1.13 or later to resolve the vulnerability. Implement stricter access controls to the CLI as an interim measure.
Is CVE-2020-26071 being actively exploited?
As of November 18, 2024, there are no publicly known active exploitation campaigns or proof-of-concept exploits for CVE-2020-26071.
Where can I find the official Cisco advisory for CVE-2020-26071?
Refer to the official Cisco Security Advisory for detailed information and mitigation steps: [https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-cli-arbitrary-file-access-20200813]
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.