CVE-2026-20224
Cisco Catalyst SD-WAN Manager XML External Entity Injection Vulnerability
Vexday Risk Score
41Atención
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
CVSS 8.6EPSS 0.7%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Ciclo de vida
14 may 2026Publicada en NVD
15 may 2026PoC pública
Recomendación: Planificar corrección próxima — ya existe PoC pública.
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to read arbitrary files that are stored in an affected system. The attacker does not need to have valid user credentials.
This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing an XML file. An attacker could exploit this vulnerability by sending a crafted request to an affected system. A successful exploit could allow the attacker to read arbitrary files that are stored in the affected system.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Productos afectados
Cisco · Cisco Catalyst SD-WAN ManagerPoCs públicas encontradas — 1
githubgithub.com/fevar54/CVE-2026-20224---XXE-Injection-en-Cisco-Catalyst-SD-WAN-Manager★ 0⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.