CVE-2026-20209 — The Web UI Of Cisco Catalyst SD-WAN Manager, Formerly SD-WAN Vulnerability

/MEDIUM /CVSS 5.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
National Vulnerability Database vulnerabilitycvemedium-severitycwe-779
CVE-2026-20209 — The Web UI Of Cisco Catalyst SD-WAN Manager, Formerly SD-WAN Vulnerability

CVE-2026-20209 — A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to elevate their privileges from low to high and perform actions as a high-privileged user. This vulnerability exists

What This Means For You

  • If your environment is affected by CWE-779, review your exposure and prioritize patching based on your environment. Monitor vendor advisories for CVE-2026-20209 updates and patches.

Related ATT&CK Techniques

T1078.002 Valid Accounts: Default Accounts Privilege Escalation T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1548.003 Privilege Escalation

Privilege Escalation via Sensitive Session Info in Cisco SD-WAN Manager Web UI — CVE-2026-20209

Sigma YAML — free preview 
title: Privilege Escalation via Sensitive Session Info in Cisco SD-WAN Manager Web UI — CVE-2026-20209
id: scw-2026-05-14-ai-1
status: experimental
level: high
description: |
  Detects attempts to access audit logs in Cisco Catalyst SD-WAN Manager's web UI. This is a key step in exploiting CVE-2026-20209, where attackers with read-only privileges access sensitive session information within these logs to elevate their privileges.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-20209/
tags:
  - attack.privilege_escalation
  - attack.t1548.003
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/v1/audit/logs'
      sc-status:
          - 200
      cs-method:
          - 'GET'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-20209 vulnerability CVE-2026-20209
CWE-779 weakness CWE-779

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 20:16 UTC

This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-46470 — GStreamer Gst-Plugins-Good Denial of Service

CVE-2026-46470 — An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-369
/SCW Vulnerability Desk /MEDIUM /4 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-46469 — GStreamer Gst-Plugins-Good Denial of Service

CVE-2026-46469 — An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_parse_trak function does not sufficiently validate...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-369
/SCW Vulnerability Desk /MEDIUM /4 /⚑ 2 IOCs /⚙ 1 Sigma

CVE-2026-44542: Critical Path Traversal in FileBrowser Quantum

CVE-2026-44542 — FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base...

vulnerabilityCVEcriticalhigh-severityarbitrary-file-accesscwe-22
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 3 IOCs /⚙ 2 Sigma