Cisco has disclosed that two vulnerabilities in Catalyst SD-WAN Manager are being actively exploited in the wild, prompting urgent calls for patching and network hardening.
Cisco has confirmed that two vulnerabilities in its Catalyst SD-WAN Manager are under active exploitation in the wild, marking the second wave of security incidents affecting the platform in recent weeks.
The Vulnerabilities
The two flaws, tracked as CVE-2026-20122 and CVE-2026-20128, present distinct attack vectors:
CVE-2026-20122 carries a CVSS score of 7.1 and represents an arbitrary file overwrite vulnerability. This flaw could allow an authenticated, remote attacker with valid read-only credentials and API access to overwrite arbitrary files on the local file system. The attack requires the attacker to already possess valid credentials, making it a post-compromise escalation vector.
CVE-2026-20128 has a CVSS score of 5.5 and is an information disclosure vulnerability that could allow an authenticated, local attacker to gain Data Collection Agent (DCA) user privileges on an affected system. This requires valid vManage credentials but could provide attackers with elevated access within the SD-WAN infrastructure.
Patch Availability and Updates
Cisco released patches for these vulnerabilities alongside several others in late February. The fixed versions vary by release branch:
- Versions earlier than 20.91 require migration to a fixed release
- Version 20.9: Fixed in 20.9.8.2
- Version 20.11: Fixed in 20.12.6.1
- Version 20.12: Fixed in 20.12.5.3 and 20.12.6.1
- Version 20.13: Fixed in 20.15.4.2
- Version 20.14: Fixed in 20.15.4.2
- Version 20.15: Fixed in 20.15.4.2
- Version 20.16: Fixed in 20.18.2.1
- Version 20.18: Fixed in 20.18.2.1
Active Exploitation Confirmed
In a March 2026 statement, Cisco's Product Security Incident Response Team (PSIRT) acknowledged awareness of active exploitation targeting CVE-2026-20128 and CVE-2026-20122. The company did not disclose the scale of the attacks or attribution details, maintaining operational security around the ongoing threat landscape.
This disclosure follows Cisco's earlier revelation that a critical zero-day vulnerability (CVE-2026-20127, CVSS 10.0) had been exploited since 2023 by a sophisticated threat actor known as UAT-8616. That flaw enabled persistent footholds in high-value organizations through the Catalyst SD-WAN Controller and Manager.
Mitigation and Security Recommendations
Given the active exploitation, Cisco urges immediate action:
- Update to a fixed software release as soon as possible
- Limit access from unsecured networks
- Secure appliances behind firewalls
- Disable HTTP for the Catalyst SD-WAN Manager web UI administrator portal
- Turn off unnecessary network services like HTTP and FTP
- Change default administrator passwords
- Monitor log traffic for unexpected inbound and outbound connections
Broader Context
The vulnerabilities emerge amid a series of high-severity security issues affecting Cisco's enterprise portfolio. This week, the company also released updates for two maximum-severity flaws in Secure Firewall Management Center (CVE-2026-20079 and CVE-2026-20131, both CVSS 10.0). These vulnerabilities could allow unauthenticated, remote attackers to bypass authentication and execute arbitrary Java code as root on affected devices.
Industry Impact
SD-WAN infrastructure has become increasingly critical as organizations adopt distributed networking architectures. The active exploitation of these vulnerabilities underscores the growing targeting of network management systems, which often provide centralized control over enterprise-wide connectivity.
For organizations running affected versions, the combination of credential requirements and the potential for privilege escalation makes these vulnerabilities particularly concerning. While the flaws don't allow initial access, they represent significant escalation and persistence mechanisms once an attacker has obtained any level of credentials.
The timing of these disclosures, coming in rapid succession, suggests an active threat landscape targeting Cisco's enterprise networking equipment. Organizations are advised to treat these updates with the highest priority and implement the recommended security controls immediately.
Comments
Please log in or register to join the discussion