Cisco SD-WAN under siege: Two more critical bugs actively exploited

Cisco has issued an urgent warning that attackers are actively exploiting two new critical vulnerabilities in its SD-WAN management software, marking the latest escalation in what security experts describe as a coordinated campaign against enterprise network infrastructure.

The newly disclosed flaws affect Cisco Catalyst SD-WAN Manager, the central management platform for many organizations' SD-WAN deployments. One vulnerability, CVE-2026-20122, carries a CVSS score of 7.1 and allows authenticated remote attackers to overwrite arbitrary files on the local filesystem. The second issue, CVE-2026-20128, is rated at 5.5 and could enable authenticated local attackers to gain Data Collection Agent (DCA) user privileges on affected systems.

According to Cisco's advisory, "In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only." The company confirmed that these flaws are currently being exploited in the wild but provided no details about the attackers' identities, methods, or whether the activity is connected to previously disclosed campaigns.

A growing pattern of attacks

The timing of these disclosures is particularly concerning. Just days earlier, Cisco had warned about active exploitation of two other vulnerabilities in the same SD-WAN infrastructure. The first, CVE-2022-20775, is a path traversal flaw affecting the SD-WAN command-line interface that can lead to privilege escalation. The second, CVE-2026-20127, is a maximum-severity authentication issue affecting Catalyst SD-WAN Controller and Manager platforms.

Five Eyes intelligence agencies, including Britain's National Cyber Security Centre, have been tracking these attacks. The NCSC reported that "malicious cyber threat actors are targeting Cisco Catalyst SD-WAN used by organizations globally" and described how attackers are compromising SD-WAN deployments to add malicious rogue peers, conduct follow-on actions, achieve root access, and maintain persistent access to the network.

Cisco Talos has linked exploitation of CVE-2026-20127 to a group it tracks as UAT-8616, describing it as a "highly sophisticated cyber threat actor." The company said available evidence suggests this bug may have been exploited since at least 2023, though no specific country has been attributed to the activity.

The stakes for enterprise networks

SD-WAN technology has become critical infrastructure for many organizations, providing secure, optimized connectivity across distributed networks. The centralized management platforms like Catalyst SD-WAN Manager represent high-value targets because compromising them can provide attackers with broad network visibility and control.

File overwrite vulnerabilities like CVE-2026-20122 are particularly dangerous because they can be used to deploy malicious code, modify configuration files, or create backdoors that persist even after patches are applied. The information disclosure flaw CVE-2026-20128, while rated lower in severity, could provide attackers with the foothold needed to escalate privileges and move laterally through the network.

Urgent patching required

Cisco's recommendation is unequivocal: "Cisco strongly recommends that customers upgrade to a fixed software release to remediate these vulnerabilities." However, patching enterprise network infrastructure is rarely a simple process. SD-WAN deployments often span multiple sites, involve complex configurations, and may require scheduled maintenance windows that can delay critical updates.

The company has not provided specific patch versions or timelines, leaving many network administrators scrambling to assess their exposure and plan remediation. The lack of indicators of compromise or detailed attack information further complicates defensive efforts, as organizations must rely on general security best practices rather than targeted threat hunting.

Broader implications for network security

This wave of actively exploited vulnerabilities in Cisco's SD-WAN products highlights several concerning trends in enterprise cybersecurity. First, it demonstrates how critical infrastructure components are increasingly targeted by sophisticated threat actors. Second, it shows the challenges organizations face in maintaining complex network systems that must balance security, performance, and availability.

The situation also raises questions about supply chain security and the risks inherent in relying on single vendors for critical infrastructure. As network architectures become more centralized and cloud-managed, the potential impact of vulnerabilities in management platforms grows exponentially.

For organizations running Cisco SD-WAN gear, the message is clear: the window for patching is closing rapidly, and the consequences of delay could be severe. Network administrators should prioritize these updates, review their security configurations, and prepare for potential follow-on attacks that may exploit these initial vulnerabilities as stepping stones to deeper network compromise.

As the cybersecurity community continues to monitor this developing situation, one thing is certain: the attackers have demonstrated both capability and intent, and defenders must respond with equal urgency to protect their critical network infrastructure.