CVE-2022-20775: Cisco SD-WAN CLI Path Traversal Enables Root-Level Privilege Escalation

CVE ID: CVE-2022-20775 Vendor: Cisco Affected Product: Cisco SD-WAN Attack Vector: Local (authenticated) Vulnerability Type: Path Traversal / Improper Access Control CISA KEV Patch Deadline: February 27, 2026

Vulnerability Overview

Cisco SD-WAN's command-line interface contains a path traversal vulnerability tracked as CVE-2022-20775. The flaw stems from improper access controls applied to commands within the application's CLI. An authenticated local attacker can exploit these deficient controls to traverse the file system beyond intended boundaries and execute arbitrary commands with root-level privileges.

The vulnerability does not require remote network access to trigger. An attacker must already hold a valid local account on the affected system. However, once that threshold is met, the authorization controls that are supposed to restrict privileged command execution fail to enforce boundaries correctly, allowing full root compromise.

Technical Details

Path traversal vulnerabilities occur when an application fails to sanitize or restrict file path inputs, allowing an attacker to reference directories and files outside the intended scope. In this case, the Cisco SD-WAN CLI does not adequately validate or restrict the commands and associated paths available to authenticated users.

By supplying crafted input to the CLI, an attacker can move outside the restricted command context and reach system-level functionality. The access control mechanism that should gate privileged operations does not correctly evaluate or block these traversal attempts, resulting in arbitrary command execution under the root user context.

This class of flaw is particularly dangerous on network infrastructure platforms like SD-WAN controllers and edge devices, where root access provides visibility into routing configurations, encryption keys, VPN tunnel parameters, and connected branch network topology.

Real-World Impact

Cisco SD-WAN is widely deployed across enterprise branch networking, connecting distributed offices, data centers, and cloud environments through centralized policy and orchestration. Devices running vulnerable SD-WAN software represent high-value targets: a single compromised node can expose routing tables, traffic policies, and credentials used to authenticate other nodes in the fabric.

An attacker who achieves root access on an SD-WAN component can:

  • Extract private keys, certificates, and authentication tokens stored on the device
  • Modify routing and policy configurations to redirect or intercept traffic
  • Pivot laterally into connected network segments
  • Establish persistent backdoors that survive software restarts
  • Disrupt WAN connectivity for dependent branch sites

While local access is a prerequisite, this requirement is not a reliable mitigating factor in practice. Insider threats, compromised service accounts, and attackers who have already established a foothold via a separate vulnerability can all satisfy the authentication requirement. CISA's inclusion of this CVE in the Known Exploited Vulnerabilities catalog and its mandated remediation deadline for federal agencies signals that the vulnerability carries demonstrated exploitation risk.

Organizations running Cisco SD-WAN in environments where multiple personnel or automated systems have CLI access face elevated exposure. Shared administrative credentials, poorly scoped service accounts, or inadequately monitored privileged sessions each increase the likelihood that an attacker can meet the local authentication requirement.

Affected Versions

Organizations should consult Cisco's official security advisory for the complete list of affected SD-WAN software versions and platform models. Cisco publishes version-specific guidance through its Security Advisories portal, and administrators should cross-reference their deployed versions against Cisco's confirmed vulnerable releases before applying fixes.

Patching and Mitigation Guidance

Primary remediation: Apply the patches released by Cisco that address CVE-2022-20775. Federal agencies are bound by CISA's remediation deadline of February 27, 2026, but all organizations should treat patching as time-sensitive given the KEV designation.

If immediate patching is not possible, apply the following interim controls:

  1. Restrict CLI access: Limit SD-WAN CLI access strictly to a named set of trusted administrators. Remove or disable accounts that do not require direct CLI interaction.

  2. Enforce network-level access controls: Place CLI management interfaces behind out-of-band management networks or jump hosts with multi-factor authentication. Block direct CLI access from general corporate or user-facing networks.

  3. Audit existing accounts: Review all local accounts on SD-WAN nodes. Revoke accounts that are unnecessary, dormant, or tied to former personnel.

  4. Enable and monitor audit logging: Capture all CLI command execution in audit logs. Forward logs to a SIEM and create detection rules for unusual command patterns, unexpected privilege escalation attempts, or access from atypical source addresses or times.

  5. Review for indicators of prior compromise: Given KEV status, treat currently unpatched systems as potentially already compromised. Review historical CLI logs for anomalous activity before and after patching.

Administrators managing Cisco SD-WAN deployments should reference Cisco Security Advisory cisco-sa-sdwan-privesc-QVszVUez for full technical details, affected version matrices, and fixed release information.