Cisco has confirmed that two previously disclosed vulnerabilities in its Catalyst SD-WAN Manager software are now being actively exploited in the wild. These critical security flaws, identified as CVE-2026-20122 and CVE-2026-20128, pose a significant risk to enterprise networks relying on Cisco’s software-defined wide area networking solutions. The company is urging users to implement immediate workarounds and update to patched versions to mitigate potential compromise.
The network equipment giant reported on March 5, 2026, that the Cisco Product Security Incident Response Team (PSIRT) became aware of the active exploitation of these specific vulnerabilities. Cisco has not disclosed the scale of the ongoing attacks or the identity of the threat actors involved. However, the active exploitation underscores the urgency for organizations to address these security gaps within their SD-WAN infrastructure.
Catalyst SD-WAN Manager Vulnerabilities Under Active Exploitation
The two vulnerabilities now facing active exploitation are CVE-2026-20122, an arbitrary file overwrite vulnerability, and CVE-2026-20128, an information disclosure vulnerability. CVE-2026-20122, with a CVSS score of 7.1, requires an authenticated remote attacker with read-only API access to successfully exploit and overwrite arbitrary files on the system’s local file system. This could lead to system manipulation or denial of service.
Meanwhile, CVE-2026-20128, carrying a CVSS score of 5.5, allows an authenticated local attacker with vManage credentials to gain Data Collection Agent (DCA) user privileges. While requiring local access, this vulnerability could escalate an attacker’s capabilities within the affected system, potentially leading to further lateral movement or data exfiltration.
Mitigation and Patching Recommendations
Cisco released patches for these vulnerabilities, alongside others including CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133, in late February 2026. The company has provided a detailed list of fixed versions for various software releases, advising users to migrate to a fixed release, especially for versions earlier than 20.91. Specific fixes are available for versions 20.9, 20.11, 20.12, 20.13, 20.14, 20.15, 20.16, and 20.18.
In addition to updating software, Cisco recommends users take several immediate steps to limit exposure. These include restricting access from unsecured networks, securing appliances behind firewalls, disabling HTTP for the Catalyst SD-WAN Manager web UI administrator portal, and turning off unnecessary network services such as HTTP and FTP. Changing default administrator passwords and diligently monitoring log traffic for any anomalous activity are also crucial measures.
The disclosure of active exploitation for these flaws follows closely on the heels of Cisco’s announcement regarding a critical security flaw in Catalyst SD-WAN Controller and Manager (CVE-2026-20127), which has a CVSS score of 10.0. This critical vulnerability has reportedly been exploited by a sophisticated threat actor, identified as UAT-8616, to gain persistent access within high-value organizations.
Furthermore, this week saw Cisco release updates to address two maximum-severity security vulnerabilities in Cisco Secure Firewall Management Center (CVE-2026-20079 and CVE-2026-20131), both with CVSS scores of 10.0. These vulnerabilities could allow unauthenticated remote attackers to bypass authentication and execute arbitrary Java code as root on affected devices, posing a severe threat to network perimeter security.
Organizations utilizing Cisco’s SD-WAN solutions are strongly advised to prioritize these updates and security recommendations. The ongoing trend of active exploitation of both newly disclosed and previously reported vulnerabilities highlights the persistent threats facing enterprise security. Further advisories from Cisco and cybersecurity research firms will be crucial in understanding the evolving threat landscape and ensuring comprehensive protection against advanced persistent threats.