CVE-2026-20224

HIGH

Cisco Catalyst SD-WAN Manager XML External Entity Injection Vulnerability

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-20224. PoCs published by fevar54.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2026-20224, an XXE injection vulnerability in Cisco Catalyst SD-WAN Manager. The exploit demonstrates arbitrary file read capabilities through both in-band and out-of-band (OOB) techniques.

Description

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to read arbitrary files that are stored in an affected system. The attacker does not need to have valid user credentials. This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to read arbitrary files that are stored in the affected system.

Exploits (1)

nomisec WORKING POC
by fevar54 · poc
https://github.com/fevar54/CVE-2026-20224---XXE-Injection-en-Cisco-Catalyst-SD-WAN-Manager

This repository contains a functional Python exploit for CVE-2026-20224, an XXE injection vulnerability in Cisco Catalyst SD-WAN Manager. The exploit demonstrates arbitrary file read capabilities through both in-band and out-of-band (OOB) techniques.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Cisco Catalyst SD-WAN Manager
No auth needed
Prerequisites: network access to the target · vulnerable endpoint exposed
devstral-2 · analyzed May 16, 2026 Full analysis →

References (2)

Core 2
Core References
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The Indicators of Compromise
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

Scores

CVSS v3 8.6
EPSS 0.0003
EPSS Percentile 9.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-20
Status published
Products (50)
Cisco/Cisco Catalyst SD-WAN Manager 17.2.10
Cisco/Cisco Catalyst SD-WAN Manager 17.2.4
Cisco/Cisco Catalyst SD-WAN Manager 17.2.5
Cisco/Cisco Catalyst SD-WAN Manager 17.2.6
Cisco/Cisco Catalyst SD-WAN Manager 17.2.7
Cisco/Cisco Catalyst SD-WAN Manager 17.2.8
Cisco/Cisco Catalyst SD-WAN Manager 17.2.9
Cisco/Cisco Catalyst SD-WAN Manager 18.2.0
Cisco/Cisco Catalyst SD-WAN Manager 18.3.0
Cisco/Cisco Catalyst SD-WAN Manager 18.3.1
... and 40 more
Published May 14, 2026
Tracked Since May 14, 2026