Cisco Warns of Active Exploitation Targeting Catalyst SD-WAN Manager Vulnerabilities
Two newly confirmed vulnerabilities in Cisco Catalyst SD-WAN Manager are under active exploitation, raising concerns for enterprises relying on SD-WAN infrastructure.
Cisco has confirmed that attackers are actively exploiting two security vulnerabilities affecting Cisco Catalyst SD-WAN Manager, previously known as Cisco SD-WAN vManage. The vulnerabilities could allow attackers with limited credentials to manipulate system files and escalate privileges, potentially leading to deeper access inside enterprise networks.
The vulnerabilities tracked as CVE-2026-20122 and CVE-2026-20128 are already being exploited in real-world attacks, according to the Cisco Product Security Incident Response Team. While Cisco has not disclosed the scale of the attacks or the threat actors involved, the company has confirmed that exploitation activity was observed during March 2026.
Arbitrary File Overwrite Vulnerability
The vulnerability CVE-2026-20122 carries a CVSS score of 7.1 and allows an authenticated remote attacker to overwrite arbitrary files on the system.
However, attackers must already possess valid read-only credentials with API access to exploit the flaw. Once exploited, the vulnerability could allow attackers to manipulate system files, potentially altering configurations or injecting malicious content.
Although the vulnerability requires authentication, security experts warn that compromised credentials or weak access controls could make exploitation easier for threat actors targeting enterprise infrastructure.
Information Disclosure and Privilege Escalation
The second vulnerability, CVE-2026-20128, has a CVSS score of 5.5 and enables a local authenticated attacker to gain Data Collection Agent (DCA) user privileges.
This means attackers who already have valid vManage credentials could escalate their privileges and gain deeper visibility into network data collection processes. As a result, they could access sensitive operational information or leverage the access to move laterally inside the network.
Patches Already Released
Cisco released security patches addressing these vulnerabilities along with additional issues, including CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133.
Organizations using Cisco Catalyst SD-WAN Manager should upgrade to the latest secure versions immediately. Cisco recommends migrating to fixed releases if systems run versions earlier than 20.9.1 and applying updated builds for versions across the 20.x release cycle.
Timely patching is critical because SD-WAN infrastructure often manages large-scale enterprise connectivity, making it a high-value target for cyber attackers.
Earlier Critical Exploit Raises Concern
The latest warning comes shortly after Cisco revealed active exploitation of another critical vulnerability, CVE-2026-20127, affecting Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager.
That flaw carried a CVSS score of 10.0 and was reportedly exploited by a sophisticated threat actor tracked as UAT-8616. The attackers used the vulnerability to establish persistent access within high-value enterprise environments.
This pattern suggests that network management infrastructure is increasingly becoming a strategic target for cyber espionage and long-term persistence campaigns.
Additional Critical Vulnerabilities in Cisco Firewall Systems
At the same time, Cisco released emergency security updates addressing two maximum-severity vulnerabilities affecting Cisco Secure Firewall Management Center.
The vulnerabilities CVE-2026-20079 and CVE-2026-20131 could allow an unauthenticated remote attacker to bypass authentication and execute arbitrary Java code with root privileges.
Such flaws represent a serious risk because they could allow attackers to take full control of firewall management infrastructure.
Recommended Security Measures
Cisco urges organizations to take immediate action to reduce their exposure. Security teams should:
- Upgrade to patched software versions immediately
- Restrict access to management interfaces from unsecured networks
- Place SD-WAN management systems behind firewalls
- Disable HTTP access to the administrative portal when possible
- Turn off unnecessary services such as HTTP or FTP
- Change default administrator credentials
- Monitor logs for suspicious network traffic or unauthorized access
Additionally, organizations should strengthen identity and access controls because many modern network attacks begin with compromised credentials.
Why This Matters for Enterprise Security
SD-WAN platforms play a critical role in modern enterprise networking. They connect branch offices, cloud infrastructure, and corporate data centers. Therefore, vulnerabilities in these systems can expose an entire organization’s network backbone.
For CISOs and security teams, this incident highlights an important reality: network infrastructure is now a primary target for advanced cyber attackers.
Organizations that fail to patch network management platforms quickly may unknowingly expose critical infrastructure to long-term compromise.