Cisco warns of two more SD-WAN bugs under active attack

Steven

Cisco warns of two more SD-WAN bugs under active attack

Summary

Cisco has confirmed active exploitation of two newly disclosed vulnerabilities in its Catalyst SD-WAN Manager (formerly vManage). The first, CVE-2026-20122 (CVSS 7.1), permits an authenticated remote attacker to overwrite arbitrary files on the local filesystem. The second, CVE-2026-20128 (CVSS 5.5), is an information disclosure issue that could let an authenticated local attacker gain Data Collection Agent (DCA) user privileges.

Cisco’s advisory notes attackers are already abusing both flaws but provides little detail about attack methods or attribution. The disclosure follows recent warnings — including a Five Eyes advisory — about multiple actively exploited SD-WAN vulnerabilities (for example CVE-2022-20775 and CVE-2026-20127). Cisco recommends upgrading to patched releases urgently.

Key Points

  1. Two Catalyst SD-WAN Manager vulnerabilities confirmed under active exploitation: CVE-2026-20122 (file overwrite) and CVE-2026-20128 (information disclosure / privilege elevation potential).
  2. CVE-2026-20122 has a CVSS score of 7.1; CVE-2026-20128 has a CVSS score of 5.5.
  3. Cisco states attackers are actively exploiting both issues but has not published exploitation specifics or attribution.
  4. The new warnings come after Five Eyes and Cisco alerts about other SD-WAN bugs, including a path traversal (CVE-2022-20775) and a critical authentication flaw (CVE-2026-20127).
  5. Cisco Talos has linked exploitation of some SD-WAN flaws to a sophisticated actor tracked as UAT-8616; however, links to the newly reported exploits remain unclear.
  6. Immediate remediation is advised: upgrade to Cisco’s fixed software releases as soon as possible to reduce risk of compromise and persistent access.

Content Summary

Cisco’s PSIRT confirmed in March 2026 that CVE-2026-20122 and CVE-2026-20128 are being exploited in the wild against Catalyst SD-WAN Manager. The higher-severity issue allows authenticated attackers to overwrite files on affected systems, potentially facilitating follow-on actions. The other issue can expose information and elevate privileges to the DCA user level. Cisco has not shared indicators of compromise or detailed attack vectors. Organisations should treat these advisories as urgent and apply vendor fixes.

The discovery expands a growing list of SD-WAN vulnerabilities being weaponised by threat actors. Recent government and vendor warnings underline the strategic attractiveness of SD-WAN components to attackers seeking network-wide persistence and root access.

Context and Relevance

This is highly relevant for network and security teams running Cisco SD-WAN: the management plane is a high-value target because compromise can grant lateral movement and persistent control over distributed edge devices. The confirmation of active exploitation — alongside prior disclosures and government warnings — raises the overall threat level for organisations using Catalyst SD-WAN Manager.

Patch windows are shrinking: defenders should prioritise inventorying affected systems, testing and applying Cisco’s fixed releases, and monitoring for signs of compromise. The episode also reinforces wider trends of attackers focusing on infrastructure and management tooling to achieve broad impact.

Why should I read this?

Short version: if you run Cisco SD-WAN, this is one of those ‘drop everything and check your kit’ moments. The bugs let attackers overwrite files and gain privileged access, and Cisco says they’re already being abused. Read the details, find your vulnerable boxes, and patch or mitigate now — ideally before someone else does the work for you.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/03/06/cisco_sdwan_bugs/