Cisco has confirmed that two vulnerabilities affecting its Catalyst SD-WAN Manager software are currently being actively exploited in the wild. These security flaws, identified as CVE-2026-20122 and CVE-2026-20128, pose significant risks to organizations relying on Cisco's Software-Defined Wide Area Network solutions.

Key Takeaways

• Two Cisco Catalyst SD-WAN Manager vulnerabilities (CVE-2026-20122 and CVE-2026-20128) are under active exploitation.

• CVE-2026-20122 allows arbitrary file overwrite, while CVE-2026-20128 enables information disclosure and privilege escalation.

• Patches were released in late February 2026, and immediate upgrades are strongly recommended.

• These exploits follow a pattern of sophisticated threat actors targeting network infrastructure.

Exploited Vulnerabilities Detailed

The vulnerabilities that Cisco has confirmed are under active exploitation are:

• CVE-2026-20122 (CVSS score: 7.1): This is an arbitrary file overwrite vulnerability. An authenticated, remote attacker with read-only API access can exploit this flaw to overwrite arbitrary files on the local file system, potentially leading to elevated privileges.

• CVE-2026-20128 (CVSS score: 5.5): This vulnerability allows an authenticated, local attacker with valid vManage credentials to gain Data Collection Agent (DCA) user privileges on an affected system. It is an information disclosure vulnerability.

Cisco became aware of the active exploitation of these two specific vulnerabilities in March 2026. The company has not provided details on the scale of these attacks or the identity of the threat actors involved.

Other Vulnerabilities and Patching Information

In addition to the actively exploited flaws, Cisco's advisory also covers three other vulnerabilities: CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133. While these are not known to be exploited, Cisco strongly urges all users to update their systems to a fixed software release as soon as possible.

Patches for these security defects were released in late February 2026. Affected versions and their corresponding fixed releases include:

• Versions earlier than 20.91: Migrate to a fixed release.

• Version 20.9: Fixed in 20.9.8.2

• Version 20.11: Fixed in 20.12.6.1

• Version 20.12: Fixed in 20.12.5.3 and 20.12.6.1

• Version 20.13: Fixed in 20.15.4.2

• Version 20.14: Fixed in 20.15.4.2

• Version 20.15: Fixed in 20.15.4.2

• Version 20.16: Fixed in 20.18.2.1

• Version 20.18: Fixed in 20.18.2.1

Broader Security Context

This disclosure follows a recent warning from Cisco about a critical zero-day vulnerability (CVE-2026-20127) in Catalyst SD-WAN Controller and Manager, which has been exploited by a sophisticated threat actor known as UAT-8616 since at least 2023. This actor has been observed compromising controllers and adding rogue peers to networks, establishing persistent footholds in high-value organizations.

Cisco also recently released updates for two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC), which could allow unauthenticated attackers to bypass authentication and execute arbitrary code.

Recommended Mitigation Steps

In light of the active exploitation, Cisco recommends the following actions:

• Update to a fixed software release immediately.

• Limit access from unsecured networks.

• Secure appliances behind a firewall.

• Disable HTTP for the Catalyst SD-WAN Manager web UI administrator portal if not required.

• Turn off network services like HTTP and FTP if not needed.

• Change default administrator passwords.

• Monitor log traffic for any unexpected activity.

Organizations are urged to take these steps promptly to protect their networks from potential compromise.

Sources

• Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities, The Hacker News.

• Cisco details further vulnerabilities in Catalyst SD-WAN Manager, Techzine Global.

• Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild, SecurityWeek.

• Cisco flags more SD-WAN flaws as actively exploited in attacks, BleepingComputer.

• Active exploitation of Cisco Catalyst SD-WAN by UAT-8616, Cisco Talos Blog.