Cisco has confirmed active exploitation of two serious vulnerabilities in its Catalyst SD-WAN Manager software. The flaws, tracked as CVE-20...
Cisco has confirmed active exploitation of two serious vulnerabilities in its Catalyst SD-WAN Manager software. The flaws, tracked as CVE-2026-20122 and CVE-2026-20128, are already being used by attackers in the wild. Organizations relying on SD-WAN for global connectivity must prioritize patching today to prevent unauthorized access and data loss.
What Are the Two Exploited Vulnerabilities?
CVE-2026-20122 carries a CVSS score of 7.1 and allows an authenticated remote attacker with read-only API credentials to overwrite arbitrary files on the local file system. Successful exploitation grants the attacker vmanage user privileges. The root cause stems from improper file handling in the API interface.
CVE-2026-20128 scores 5.5 and enables an authenticated local attacker with valid vmanage credentials to disclose sensitive DCA user credentials. This information disclosure can let attackers gain DCA user privileges on other affected systems. The flaw exists because a credential file for the Data Collection Agent is accessible on the filesystem.
Both vulnerabilities affect Catalyst SD-WAN Manager regardless of configuration. Cisco released fixes in late February 2026, but active exploitation was only confirmed in March 2026.
Context Within Broader SD-WAN Attacks
These two flaws form part of a larger Cisco advisory covering five vulnerabilities in Catalyst SD-WAN Manager and Controller. While CVE-2026-20127 (a critical authentication bypass) has drawn separate attention from CISA and Talos, the confirmed in-the-wild activity targets CVE-2026-20122 and CVE-2026-20128 specifically.
Attackers with initial read-only access can escalate privileges through file overwrites and credential theft. This chain aligns with sophisticated campaigns tracked as UAT-8616. Enterprises using SD-WAN for branch connectivity and cloud access face heightened risk.
Who Is at Risk and Why It Matters Globally
Any organization running Catalyst SD-WAN Manager versions before the fixed releases is vulnerable. This includes large enterprises, service providers, and government agencies managing thousands of remote sites. SD-WAN powers critical infrastructure worldwide, making these exploits a global concern.
Attackers do not need unauthenticated access for these specific flaws. However, once inside with basic credentials, they can overwrite files or steal privileges. The result can include full fabric compromise, data exfiltration, or ransomware deployment.
In 2026, SD-WAN adoption continues to surge for hybrid work and cloud connectivity. A single unpatched manager instance can expose an entire organization's network backbone.
Confirmed Active Exploitation Details
Cisco PSIRT stated: "In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only." No public proof-of-concept exploits are known, but real-world attacks are underway.
Related intelligence from CISA and international partners highlights ongoing campaigns against SD-WAN systems. Defenders should assume sophisticated actors are scanning for vulnerable instances right now.
🚨 Cisco just issued an urgent alert: Two Catalyst SD-WAN Manager vulnerabilities are being actively exploited in the wild. Patch your systems NOW! #Cisco #Cybersecurity
— X CyberSec (@xcybersecnews) March 5, 2026
Immediate Patching Instructions
Upgrade to one of the fixed releases immediately. Cisco provides the following patched versions:
For release 20.9: upgrade to 20.9.8.2. For 20.11 and 20.12: move to 20.12.6.1 or 20.12.5.3. Releases 20.13 through 20.15 require 20.15.4.2. Newer 20.16 and 20.18 branches need 20.18.2.1.
Versions earlier than 20.9 should migrate to a supported fixed release. Releases 20.18 and later are not affected by CVE-2026-20128. Check your current version in the SD-WAN Manager dashboard and follow Cisco's upgrade matrix for zero-downtime procedures.
There are no workarounds. Patching is the only remediation. Cisco strongly recommends upgrading even if you believe credentials are secure.
Read the official Cisco Security Advisory hereStep-by-Step Detection and Response
Review system logs for unusual API file upload activity or unexpected DCA credential access. Monitor for file modifications in critical directories and unexpected privilege changes on vmanage or DCA accounts.
Collect admin-tech files and upload them to a Cisco TAC case for expert analysis. Use the provided guidance to rebuild the SD-WAN fabric if compromise is suspected. Snapshot virtual instances before any changes.
Scan external-facing interfaces for unauthorized connections. Restrict API access to trusted IP ranges only. Enable verbose logging and forward to a SIEM for real-time alerting.
Proactive Hardening Best Practices
Place Catalyst SD-WAN Manager behind a firewall and allow traffic only from known trusted hosts. Disable HTTP for the web UI and unnecessary services like FTP. Always use strong SSL/TLS certificates.
Change default admin passwords immediately and create role-based operator accounts. Implement least-privilege principles for all API users. Regularly audit credentials and rotate them.
Follow the full Cisco Catalyst SD-WAN Hardening Guide. Send logs to an external server and retain them long enough for forensic review. Consider network segmentation to limit lateral movement.
Access the official Cisco SD-WAN Hardening GuideReal-World Impact and Lessons from Past Incidents
Similar SD-WAN exploits in recent years have led to full network takeovers and weeks of downtime. The combination of file overwrite and credential disclosure here mirrors tactics used in advanced persistent threats.
Global organizations must treat SD-WAN managers as high-value assets. A single breach can disrupt branch offices, cloud access, and zero-trust architectures. Budget for rapid patching cycles and regular vulnerability scanning.
Security teams should integrate these CVEs into their risk registers today. Test patching processes in a lab environment to ensure minimal disruption during production rollout.
Cisco flags more SD-WAN flaws as actively exploited in attacks. Catalyst SD-WAN Manager (formerly vManage) is network management software that enables admins to monitor and manage up to 6,000 Catalyst SD-WAN devices from a single centralized dashboard.
— Riskigy (@riskigy) March 5, 2026
Long-Term Strategy for Quantum-Resistant and Secure SD-WAN
While these flaws are traditional, the rise of post-quantum threats makes SD-WAN security even more critical. Plan migrations to latest supported releases now. Combine patching with continuous monitoring and zero-trust network access controls.
Conduct quarterly penetration tests focused on SD-WAN components. Train staff on credential hygiene and API security. Partner with managed service providers who specialize in Cisco infrastructure.
The current campaign proves that even authenticated access vectors remain dangerous. Stay ahead by treating every advisory update as an emergency.
Final Action Checklist for Security Leaders
Inventory all Catalyst SD-WAN Manager instances today. Verify current software versions against the fixed release list. Schedule patching windows within the next 24-48 hours.
Notify stakeholders and update incident response plans. Share this guidance with your team and third-party vendors. Monitor Cisco PSIRT and CISA alerts for new developments.
By acting decisively, organizations can neutralize these active threats and strengthen their overall network posture. SD-WAN remains a strategic advantage when properly secured.
Security is an ongoing journey. The Cisco Catalyst SD-WAN exploits serve as a timely reminder that vigilance and rapid response save millions in potential breach costs. Patch now and stay protected.
COMMENTS