Cisco warns of two more SD-WAN bugs under active attack
Just when network admins thought the Cisco SD-WAN patch queue might finally be shrinking, Switchzilla has confirmed miscreants are exploiting more vulnerabilities in its SD-WAN management software.
The newly abused flaws affect Cisco Catalyst SD-WAN Manager, the platform formerly known as vManage that sits at the center of many organizations' SD-WAN deployments.
One of the bugs, CVE-2026-20122, carries a CVSS score of 7.1 and allows an authenticated remote attacker to overwrite arbitrary files on the local filesystem. The second issue, CVE-2026-20128, is a lower-rated information disclosure flaw with a CVSS score of 5.5 that could allow an authenticated local attacker to gain Data Collection Agent (DCA) user privileges on an affected system.
In an advisory published this week, Cisco confirmed that attackers are already abusing the flaws: "In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only."
As usual with these sorts of notices, Cisco offered little detail about how the flaws are being exploited or who is behind the attacks. The company also declined to say whether the activity is linked to a cyberbaddie it warned about just days earlier.
"Cisco strongly recommends that customers upgrade to a fixed software release to remediate these vulnerabilities," the company added.
The warning comes barely a week after governments from the Five Eyes intelligence alliance warned that attackers were actively targeting Cisco's Catalyst SD-WAN infrastructure using two different vulnerabilities.
One is CVE-2022-20775, a path traversal flaw affecting the SD-WAN command-line interface that can lead to privilege escalation, and the other is CVE-2026-20127, a maximum-severity authentication issue affecting the Catalyst SD-WAN Controller and Manager platforms.
At the time, Britain's National Cyber Security Centre said miscreants were compromising SD-WAN deployments used by organizations worldwide.
"Malicious cyber threat actors are targeting Cisco Catalyst SD-WAN used by organizations globally," the agency said. "These actors are compromising SD-WANs to add a malicious rogue peer and then conduct a range of follow-on actions to achieve root access and maintain persistent access to the SD-WAN."
According to Cisco Talos, exploitation of the latter has been linked to a group the company tracks as UAT-8616, which it describes as a "highly sophisticated cyber threat actor." Talos said available evidence suggests the bug may have been exploited since at least 2023, although it didn't attribute the activity to any particular country.
Whether the newly confirmed exploits are connected to that campaign remains unclear. Cisco said only that the two freshly disclosed vulnerabilities are currently being exploited, without providing indicators of compromise, attack details, or attribution.
For defenders running Cisco's SD-WAN gear, however, the list of bugs under active attack just got longer, and the patch window just got a little more urgent. ®
