CVE-2022-20775 - [KEV] - CVSS 7.8

Overview

CVE-2022-20775 is a path traversal vulnerability in the command-line interface (CLI) of Cisco SD-WAN software. The flaw stems from improper access controls on commands within the application CLI, allowing an authenticated local attacker to traverse outside the intended command scope and execute arbitrary commands as the root user. The vulnerability carries a CVSS score of 7.8 (High), reflecting the significant impact of full root compromise despite the local, authenticated prerequisite. EPSS is currently low (0.004), but CISA added the CVE to the Known Exploited Vulnerabilities (KEV) catalog on 2026-02-25, confirming active exploitation in the wild.

Affected Products

• Cisco Catalyst 8000V Edge
• Cisco Catalyst SD-WAN Manager
• Cisco SD-WAN (legacy branding)
• Cisco SD-WAN vBond Orchestrator
• Cisco SD-WAN vEdge Cloud
• Cisco SD-WAN vSmart Controller

The vulnerability spans the entire Cisco SD-WAN control and data plane portfolio, meaning orchestrators, controllers, and edge devices are all in scope.

Exploitation Evidence

No public proof-of-concept, exploit telemetry, or campaign-specific indicators are present in the available dataset. However, inclusion in the CISA KEV catalog (added 2026-02-25) constitutes authoritative confirmation that the vulnerability is being exploited in real-world attacks. Federal civilian executive branch agencies are bound by BOD 22-01 remediation timelines, and private sector defenders should treat KEV inclusion as a high-confidence indicator of operational risk.

ATT&CK Mapping

No formal ATT&CK mappings exist in the database. Based on the vulnerability mechanics, the following techniques are highly relevant:

• T1068 – Exploitation for Privilege Escalation: The core impact, escalating from an authenticated CLI user to root.
• T1059 – Command and Scripting Interpreter: Exploitation occurs via crafted CLI input that escapes intended command boundaries.
• T1083 – File and Directory Discovery / Path Traversal pattern: The underlying weakness leverages directory traversal semantics to reach unauthorized commands.
• T1078 – Valid Accounts: Exploitation requires authenticated local access, implying prior credential acquisition or insider access.

Threat Actor Context

No specific threat actor attribution is available in the dataset. Cisco SD-WAN infrastructure has historically been a high-value target for state-aligned actors conducting network-edge compromise (consistent with broader targeting of edge appliances by China-nexus and Russia-nexus groups). The pairing of authenticated-local prerequisite with root escalation makes this CVE particularly attractive as a second-stage capability following initial credential theft, phishing, or chained exploitation of an authentication bypass.

Recommended Actions

• Patch immediately: Apply Cisco's fixed SD-WAN software releases per the vendor advisory. Prioritize vManage/Catalyst SD-WAN Manager and vBond/vSmart controllers, as their compromise yields fabric-wide impact.
• Meet KEV deadlines: FCEB agencies must remediate per BOD 22-01; all other organizations should treat KEV inclusion as a P1 remediation trigger.
• Restrict CLI access: Limit SD-WAN CLI access to a minimal set of administrators via TACACS+/RADIUS, enforce MFA on jump hosts, and audit local accounts on all SD-WAN components.
• Credential hygiene: Rotate credentials for any account with CLI access, and review for shared, default, or service accounts that could be abused as the authenticated foothold.
• Detection: Enable and centralize CLI command logging from SD-WAN devices. Hunt for anomalous command strings containing path traversal sequences (e.g., ../), unexpected root-level command execution, and unusual session activity from low-privilege users.
• Network segmentation: Ensure management interfaces of SD-WAN components are isolated on out-of-band management VLANs and unreachable from user/production networks.
• Post-exploitation review: If patching is delayed, conduct integrity validation of SD-WAN device configurations and binaries, and review for unauthorized accounts, scheduled tasks, or persistence artifacts.