What happened

CISA has added CVE-2022-20775 to its Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed in-the-wild exploitation that requires rapid mitigation by defenders CISA KEV.

The underlying issue is a path traversal flaw in the Cisco SD-WAN command-line interface (CLI) that allows an authenticated local attacker to escalate privileges through improper command access controls NVD CVE-2022-20775.

If exploited, the bug enables execution of arbitrary commands with root privileges on the affected device, resulting in full system compromise potential NVD CVE-2022-20775 MITRE CVE record.

Why it matters

Inclusion in CISA’s KEV catalog means exploitation is not hypothetical—federal civilian agencies are now mandated to prioritize remediation under CISA direction, and enterprises should match that urgency CISA KEV.

Because this is a local, authenticated pathway that escalates to root via the CLI, traditional perimeter IDS/IPS will likely miss early-stage abuse, shifting the detection burden to device access controls, configuration hygiene, and on-box monitoring NVD CVE-2022-20775 CISA Hunt & Hardening Guidance.

Exploitation that yields root on SD-WAN infrastructure threatens control-plane integrity, policy propagation, and traffic steering, creating outsized blast radius relative to a single host compromise NVD CVE-2022-20775 CISA KEV.

Technical detail

The vulnerability resides in the Cisco SD-WAN CLI and stems from insufficient access controls on application CLI commands, allowing path traversal by an authenticated local user NVD CVE-2022-20775.

Successful exploitation lets the attacker bypass intended command restrictions and run arbitrary commands as root, effectively taking full control of the device OS context NVD CVE-2022-20775 MITRE CVE record.

The affected product class is Cisco SD-WAN, where command execution context and role separation are expected to restrict privilege, but improper enforcement in the CLI opens a direct escalation path NVD CVE-2022-20775 CISA KEV.

This is categorized by CISA as actively exploited, warranting immediate attention and accelerated remediation by asset owners CISA KEV.

Defense

Follow CISA Emergency Directive 26-03 for Cisco SD-WAN to assess exposure and apply mandated mitigations on impacted systems without delay CISA ED 26-03.

Use CISA’s supplemental Hunt & Hardening Guidance to drive on-box investigations for anomalous CLI activity, validate administrative account integrity, and harden management access pathways on Cisco SD-WAN devices CISA Hunt & Hardening Guidance.

Treat KEV-listed issues as priority remediation items in vulnerability management queues and track CVE-2022-20775 explicitly across inventories of Cisco SD-WAN assets CISA KEV NVD CVE-2022-20775.

Where immediate full remediation is not possible, restrict local/console and SSH access to the minimum set of administrators, enforce strong authentication on management interfaces, and intensify audit of privileged CLI sessions per CISA’s guidance for these devices CISA Hunt & Hardening Guidance CISA ED 26-03.

Monitor for indicators of privilege escalation attempts within device logs and configuration state changes, and validate the integrity of root-level binaries on affected systems during hunts CISA Hunt & Hardening Guidance.

Lyrie Verdict

This is a low-latency, local-to-root jump inside critical network fabric—exactly the class of escalation that evades human-in-the-loop response windows CISA KEV.

Lyrie’s position: detect and disrupt at machine speed on the device boundary—autonomously correlate authenticated CLI session context with privilege transitions and command execution outcomes, and enforce policies that block anomalous root-level operations consistent with CISA’s hunt-and-harden mandate for SD-WAN systems CISA Hunt & Hardening Guidance CISA ED 26-03.

If it takes a ticket to notice, it’s too late—KEV-listed, authenticated CLI escalations must be caught and contained by autonomous controls operating on the same timescale as the attacker CISA KEV.