Key Takeaway
CVE-2022-20775 is a path traversal vulnerability in Cisco SD-WAN's CLI that allows an authenticated local attacker to execute arbitrary commands as root due to improper access controls on CLI commands. Successful exploitation results in full system compromise of the affected appliance, enabling configuration tampering, data exfiltration, and lateral movement into connected networks. CISA mandates federal agency remediation by February 27, 2026, and Cisco has released patches that all affected organizations should apply immediately.
CVE-2022-20775: Cisco SD-WAN CLI Path Traversal Enables Root Privilege Escalation
CVE ID: CVE-2022-20775 Vendor: Cisco Affected Product: Cisco SD-WAN Attack Vector: Local (authenticated) Vulnerability Type: Path Traversal / Improper Access Control CISA KEV Patch Deadline: 2026-02-27
Vulnerability Technical Details
Cisco SD-WAN's command-line interface contains a path traversal vulnerability rooted in improper access controls applied to specific CLI commands. The application fails to adequately validate path inputs supplied to those commands, allowing an authenticated local attacker to traverse outside intended directory boundaries and interact with restricted filesystem resources.
Exploiting this flaw does not require network access. An attacker who holds any authenticated CLI session on an affected SD-WAN appliance can craft malformed path arguments to bypass privilege restrictions and execute arbitrary commands under the root user context. No additional user interaction or complex chaining is required once CLI access is established.
The vulnerability was assigned CVE-2022-20775 and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, with a mandatory remediation deadline of February 27, 2026, for U.S. federal agencies under Binding Operational Directive 22-01.
Affected Scope
This vulnerability affects Cisco SD-WAN deployments running vulnerable software versions across the product line. Organizations using Cisco SD-WAN appliances in branch office connectivity, WAN edge routing, or software-defined wide-area networking architectures are exposed if they have not applied Cisco's published patches. Consult the official Cisco Security Advisory for the precise version matrix of affected and fixed releases.
Real-World Impact
Successful exploitation grants an attacker full root access to the targeted SD-WAN appliance. From that position, an attacker can:
- Modify device configurations to redirect or intercept WAN traffic.
- Exfiltrate sensitive data including credentials, routing tables, and encryption keys stored on the appliance.
- Pivot laterally into connected branch networks, data centers, or cloud environments that the SD-WAN fabric interconnects.
- Establish persistent access by implanting backdoors or modifying system binaries, surviving configuration resets that do not wipe the underlying OS.
SD-WAN appliances occupy a high-value position in enterprise network architecture. They sit at the intersection of multiple network segments and often carry encrypted tunnels to headquarters and cloud infrastructure. Root-level compromise of a single appliance can cascade into broader network access that extends well beyond the initial point of entry.
While exploitation requires authenticated local CLI access, this bar is lower than it appears. Insider threats, compromised service accounts, misconfigured remote access policies, and jump-host vulnerabilities can all provide an attacker with the initial CLI foothold needed to trigger this vulnerability.
Patching and Mitigation Guidance
Organizations should treat this vulnerability as high priority given its presence on CISA's KEV catalog and the level of access it provides post-exploitation.
Immediate actions:
-
Inventory all Cisco SD-WAN deployments. Identify every appliance running an affected software version. Cross-reference device versions against the Cisco Security Advisory for CVE-2022-20775.
-
Apply Cisco-issued patches. Cisco has released fixed software versions that address the improper access controls in the CLI. Obtain the correct update for each affected device through Cisco's official channels and apply it according to your change management process.
-
Restrict CLI access immediately. Limit local and remote CLI sessions to the minimum set of authorized personnel. Remove any shared or service accounts with CLI access that do not have a documented operational requirement.
-
Audit access logs. Review authentication and command execution logs on all SD-WAN appliances for anomalous activity. Look specifically for privilege-related commands, unusual path references, or commands executed outside expected maintenance windows.
-
Enforce network segmentation. Ensure SD-WAN management interfaces are not exposed to untrusted networks. Place management access behind dedicated out-of-band management networks or VPN-gated jump hosts with multi-factor authentication enforced.
-
Monitor for indicators of compromise. If patching is delayed for any appliance, increase monitoring on that device. Look for unexpected outbound connections, configuration changes not associated with authorized change tickets, and new accounts or SSH keys added to the system.
For the authoritative list of affected versions and fixed releases, reference the official Cisco Security Advisory published for CVE-2022-20775 on Cisco's Security Advisories portal. Federal agencies operating under FISMA must meet the CISA KEV deadline of February 27, 2026, but all organizations should treat this as an urgent remediation item rather than scheduling it to that deadline.
Original Source
CISA KEV
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2022-20775: Cisco SD-WAN CLI Path Traversal Enables Root-Level Privilege Escalation
CVE-2022-20775 is a path traversal vulnerability in Cisco SD-WAN's CLI that allows an authenticated local attacker to bypass access controls and execute arbitrary commands as root. The flaw affects Cisco SD-WAN deployments and carries a CISA KEV remediation deadline of February 27, 2026 for federal agencies. Administrators should apply Cisco's official patches immediately and restrict CLI access to trusted accounts as an interim control.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.