Cisco Catalyst SD-WAN Manager Vulnerabilities Actively Exploited – What You Need to Know

Networking giant Cisco has revealed that two additional security vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) are currently being actively exploited by attackers in real-world environments.

These vulnerabilities could allow attackers with valid credentials to manipulate files or gain elevated privileges on affected systems. Security experts are urging organizations using Cisco SD-WAN solutions to update their software immediately.




Details of the Newly Exploited Vulnerabilities

Cisco has identified the following two vulnerabilities that are currently being exploited:

1. CVE-2026-20122 – Arbitrary File Overwrite (CVSS 7.1)

This vulnerability allows an authenticated remote attacker to overwrite arbitrary files on the local system.

Key points:

  • The attacker must have valid read-only credentials.
  • API access to the affected system is required.
  • Successful exploitation could enable attackers to modify important files on the device.

2. CVE-2026-20128 – Information Disclosure (CVSS 5.5)

This vulnerability enables an authenticated local attacker to gain Data Collection Agent (DCA) user privileges.

Requirements:

  • The attacker must possess valid vManage credentials.
  • Once exploited, attackers may gain unauthorized access to sensitive system data.

Cisco Security Patches and Fixed Versions

Cisco released patches for these vulnerabilities along with other security issues such as CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133.

Below are the versions that contain fixes:

  • Earlier than 20.9.1 → Upgrade to a supported fixed release
  • Version 20.9 → Fixed in 20.9.8.2
  • Version 20.11 → Fixed in 20.12.6.1
  • Version 20.12 → Fixed in 20.12.5.3 and 20.12.6.1
  • Version 20.13 → Fixed in 20.15.4.2
  • Version 20.14 → Fixed in 20.15.4.2
  • Version 20.15 → Fixed in 20.15.4.2
  • Version 20.16 → Fixed in 20.18.2.1
  • Version 20.18 → Fixed in 20.18.2.1

According to Cisco’s security advisory, the company became aware in March 2026 that CVE-2026-20122 and CVE-2026-20128 were being actively exploited in the wild. However, Cisco has not revealed the scale of these attacks or who might be responsible.

Security Recommendations for Organizations

Due to the ongoing exploitation, Cisco recommends the following security measures:

  • Update to the latest patched software version immediately
  • Limit access from untrusted or unsecured networks
  • Protect appliances behind a firewall
  • Disable HTTP access for the SD-WAN Manager web admin portal
  • Turn off unnecessary services such as HTTP and FTP
  • Change the default administrator password
  • Monitor system logs for suspicious or unexpected traffic

Implementing these steps can significantly reduce the risk of compromise.

Other Critical Cisco Vulnerabilities

This announcement comes shortly after a critical vulnerability (CVE-2026-20127, CVSS 10.0) affecting Cisco Catalyst SD-WAN Controller and SD-WAN Manager was reportedly exploited by a sophisticated threat actor known as UAT-8616. The attacker used the flaw to maintain persistent access to high-value targets.

Additionally, Cisco recently patched two maximum-severity vulnerabilities in Secure Firewall Management Center:

  • CVE-2026-20079
  • CVE-2026-20131

Both vulnerabilities carry a CVSS score of 10.0 and could allow an unauthenticated remote attacker to bypass authentication and execute arbitrary Java code with root privileges on affected devices.

Conclusion:
Organizations using Cisco SD-WAN infrastructure should immediately apply security updates and follow recommended mitigation steps to protect their networks from active exploitation.