CISA has added three critical Cisco Catalyst SD-WAN Manager vulnerabilities to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch within four days as attackers actively exploit the flaws.
The US Cybersecurity and Infrastructure Security Agency (CISA) has escalated its response to a series of critical vulnerabilities in Cisco's Catalyst SD-WAN Manager platform, adding three new CVEs to its Known Exploited Vulnerabilities Catalog and mandating federal agencies to patch within just four days.
Critical Vulnerabilities Discovered
The three newly added vulnerabilities represent serious security flaws that could allow attackers to gain unauthorized access to affected systems:
CVE-2026-20128 - Information Disclosure Vulnerability This flaw exists in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager. Attackers can exploit this vulnerability to gain DCA user privileges on affected systems without authentication, providing a foothold for further attacks.
CVE-2026-20133 - Information Disclosure Vulnerability Another information disclosure bug that allows unauthenticated, remote attackers to view sensitive information on affected systems. This vulnerability could expose configuration details, credentials, or other sensitive data.
CVE-2026-20122 - Arbitrary File Overwrite Vulnerability This critical flaw allows authenticated remote attackers with valid read-only API credentials to upload malicious files, overwrite arbitrary local files, and ultimately gain vManage user privileges. This represents a significant escalation path for attackers.
Federal Agency Response Required
CISA's decision to add these vulnerabilities to its catalog comes with strict requirements. Federal agencies have been given until Thursday to patch these security holes, representing an unusually short timeframe that underscores the severity of the threat.
This action follows Cisco's own warnings from March 2026, when the company's Product Security Incident Response Team (PSIRT) became aware of active exploitation of CVE-2026-20128 and CVE-2026-20122. However, at the time of Cisco's advisory, CVE-2026-20133 was not listed as being under active exploitation.
Platform Impact
Cisco's Catalyst SD-WAN Manager, formerly known as vManage, serves as the central management platform for many organizations' SD-WAN deployments. The platform can manage up to 6,000 edge devices in a cluster, making it a critical component of enterprise network infrastructure.
The platform's central role in network management makes these vulnerabilities particularly concerning, as successful exploitation could provide attackers with extensive visibility and control over an organization's network infrastructure.
Attack Scope and Attribution
At the time of publication, Cisco had not responded to questions about the scope of attacks or the identity of the attackers exploiting these vulnerabilities. This lack of information makes it difficult to assess the full impact of the ongoing attacks or to attribute them to specific threat actors.
Historical Context
These vulnerabilities are part of a broader pattern of security issues affecting Cisco's SD-WAN products. The Five Eyes intelligence alliance has previously warned about the need to patch Cisco SD-WAN vulnerabilities to prevent root-level takeovers.
Cisco's response timeline shows that all three CVEs were patched in late February, with the company issuing warnings about active exploitation in March. This timeline suggests that attackers may have had access to exploit code for several weeks before CISA's intervention.
Industry Implications
The rapid escalation from Cisco's initial warnings to CISA's mandatory patching requirements highlights the serious nature of these vulnerabilities and the potential for widespread impact across government and enterprise networks.
Organizations using Cisco Catalyst SD-WAN Manager should prioritize patching these vulnerabilities immediately, regardless of whether they fall under CISA's federal mandate. The combination of information disclosure and arbitrary file overwrite vulnerabilities presents a significant risk that could lead to complete system compromise.
Technical Analysis
The three vulnerabilities represent different attack vectors that, when combined, provide attackers with multiple paths to compromise:
- Initial Access - CVE-2026-20128 and CVE-2026-20133 provide unauthenticated access for information gathering
- Privilege Escalation - CVE-2026-20122 allows authenticated users to escalate privileges through file manipulation
- Persistence - The ability to overwrite arbitrary files enables attackers to establish persistent access
This multi-stage attack chain demonstrates sophisticated exploitation techniques that could be used to compromise entire SD-WAN deployments.
Recommendations
Organizations should:
- Immediately apply Cisco's February patches for all three CVEs
- Review access logs for any suspicious activity related to the affected components
- Consider network segmentation to limit the impact of potential compromise
- Monitor for indicators of compromise related to these vulnerabilities
- Implement additional monitoring for SD-WAN management interfaces
The rapid response required by CISA underscores the critical nature of these vulnerabilities and the need for immediate action to protect federal and enterprise networks from ongoing attacks.
Comments
Please log in or register to join the discussion