CVE-2023-20252: Cisco Catalyst SD-WAN Auth Bypass Flaw

CVE-2023-20252 Overview

CVE-2023-20252 is an authentication bypass vulnerability in the Security Assertion Markup Language (SAML) APIs of Cisco Catalyst SD-WAN Manager Software. An unauthenticated, remote attacker can send crafted requests directly to the SAML API and generate an authorization token. The token grants access to the application as an arbitrary user.

The weakness is tracked under [CWE-862] Missing Authorization and [CWE-287] Improper Authentication. Affected releases include Cisco Catalyst SD-WAN Manager versions 20.9.3.2 and 20.11.1.2. Cisco published the issue in advisory cisco-sa-sdwan-vman-sc-LRLfu2z.

Critical Impact

An unauthenticated attacker with network access to the SD-WAN Manager can impersonate any user, including administrators, and seize full control of the SD-WAN fabric.

Affected Products

• Cisco Catalyst SD-WAN Manager 20.9.3.2
• Cisco Catalyst SD-WAN Manager 20.11.1.2
• Multi-tenant deployments with SAML SSO enabled

Discovery Timeline

• 2023-09-27 - CVE-2023-20252 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-20252

Vulnerability Analysis

The vulnerability resides in the SAML API endpoints exposed by Cisco Catalyst SD-WAN Manager. SD-WAN Manager (formerly vManage) acts as the centralized controller for orchestration, configuration, and monitoring of SD-WAN deployments. Its SAML interface normally brokers single sign-on assertions issued by an external identity provider.

Improper authentication checks on these SAML APIs allow direct interaction without a valid SAML assertion. The flaw maps to [CWE-287] Improper Authentication and [CWE-862] Missing Authorization. An attacker that successfully exploits the issue obtains an authorization token tied to an arbitrary user identity.

With that token, the attacker can call any management API the impersonated account can reach. Administrator impersonation yields control over device templates, policies, and credentials across the SD-WAN fabric.

Root Cause

The SAML API trusts request parameters that should require a validated assertion. The token-issuance logic does not verify that the caller possesses a signed SAML response bound to the requested identity. As a result, the API mints session tokens for usernames supplied by the attacker.

Attack Vector

Exploitation requires only network reachability to the SD-WAN Manager web interface. No prior authentication, user interaction, or special privileges are needed. The attacker sends HTTP requests to the vulnerable SAML endpoint and parses the returned token from the response. The token is then attached to subsequent API or web UI requests to act as the chosen user.

No public proof-of-concept code or in-the-wild exploitation has been confirmed. Refer to the Cisco Security Advisory for vendor-supplied technical details.

Detection Methods for CVE-2023-20252

Indicators of Compromise

• Unexpected HTTP requests to SAML API paths on SD-WAN Manager from non-IdP source addresses.
• Session tokens issued to administrative usernames without a corresponding SAML assertion log entry.
• Configuration changes, template pushes, or new admin accounts originating from sessions with no prior login event.

Detection Strategies

• Correlate SD-WAN Manager authentication logs with identity provider SAML response logs and alert on tokens issued without a matching IdP event.
• Inspect web server access logs for direct calls to SAML API endpoints from unexpected client IPs or user agents.
• Baseline normal SAML traffic volume and alert on spikes or repeated token-generation attempts.

Monitoring Recommendations

• Forward SD-WAN Manager vmanage-server.log and audit logs to a centralized SIEM with retention sufficient for incident review.
• Monitor privileged API actions such as policy edits, device onboarding, and user creation for sessions lacking a verified login.
• Alert on management plane access from networks outside approved administrative ranges.

How to Mitigate CVE-2023-20252

Immediate Actions Required

• Upgrade Cisco Catalyst SD-WAN Manager to a fixed release listed in advisory cisco-sa-sdwan-vman-sc-LRLfu2z.
• Restrict network access to the SD-WAN Manager management interface to trusted administrative subnets and jump hosts.
• Rotate administrative credentials and API tokens after patching, then review audit logs for unauthorized changes.

Patch Information

Cisco has released fixed software addressing CVE-2023-20252. Affected versions include 20.9.3.2 and 20.11.1.2. Customers should consult the Cisco Security Advisory for the complete fixed-release matrix and upgrade guidance. The vulnerability only applies to deployments with SAML SSO enabled.

Workarounds

• Disable SAML single sign-on on SD-WAN Manager until the upgrade is applied, where operationally feasible.
• Enforce strict access control lists on the management VPN so only the identity provider and administrator workstations can reach SAML API endpoints.
• Place SD-WAN Manager behind a reverse proxy or WAF that blocks direct, unauthenticated access to SAML API paths.

# Example ACL restricting management access to approved subnets
ip access-list extended SDWAN-MGMT-ACL
 permit tcp 10.10.0.0 0.0.0.255 host <sdwan-manager-ip> eq 443
 permit tcp host <idp-server-ip>   host <sdwan-manager-ip> eq 443
 deny   ip any host <sdwan-manager-ip> log