Networking giant Cisco has confirmed that two security vulnerabilities affecting its Catalyst SD-WAN Manager platform are currently being actively exploited by attackers in real-world cyberattacks. The company issued an advisory urging organisations using the software to apply security updates immediately to reduce the risk of compromise.
The vulnerabilities, tracked as CVE-2026-20122 and CVE-2026-20128, impact the Cisco Catalyst SD-WAN Manager, previously known as SD-WAN vManage, a system widely used by enterprises to manage and control distributed networks. Cisco revealed that its Product Security Incident Response Team became aware in March 2026 that both flaws were being actively exploited in the wild.
Details of the Vulnerabilities
The first vulnerability, CVE-2026-20122, carries a CVSS severity score of 7.1 and is described as an arbitrary file overwrite vulnerability. This flaw could allow an authenticated remote attacker to overwrite files on the local file system of the affected device. However, exploitation requires the attacker to already possess valid read-only credentials with API access on the system.
The second flaw, CVE-2026-20128, has a CVSS score of 5.5 and is categorized as an information disclosure vulnerability. If exploited, it could enable an authenticated local attacker to gain Data Collection Agent (DCA) user privileges within the system. In this case, the attacker must already have legitimate vManage credentials on the affected device.
Although Cisco confirmed the active exploitation of these vulnerabilities, the company has not disclosed the scale of the attacks or the identity of the threat actors behind them.
Security Updates and Fixed Versions
Cisco released patches for these vulnerabilities along with several related flaws, including CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133, in software updates published late last month.
Organisations running vulnerable versions are advised to upgrade to the following fixed releases:
- Versions earlier than 20.9.1 – migrate to a supported fixed release
- Version 20.9 – fixed in 20.9.8.2
- Version 20.11 – fixed in 20.12.6.1
- Version 20.12 – fixed in 20.12.5.3 and 20.12.6.1
- Versions 20.13, 20.14, 20.15 – fixed in 20.15.4.2
- Version 20.16 – fixed in 20.18.2.1
- Version 20.18 – fixed in 20.18.2.1
Applying these updates is considered essential for organisations operating SD-WAN environments, as the platform typically sits at the centre of enterprise network management systems.
Broader Security Concerns
The disclosure comes shortly after Cisco warned about another critical security flaw in Catalyst SD-WAN Controller and Manager, identified as CVE-2026-20127, which carries the maximum CVSS score of 10.0. That vulnerability has reportedly been exploited by a sophisticated threat actor known as UAT-8616 to gain persistent access to networks belonging to high-value organisations.
In addition, Cisco recently released patches for two maximum-severity vulnerabilities in Secure Firewall Management Centre—CVE-2026-20079 and CVE-2026-20131—that could allow attackers to bypass authentication and execute arbitrary Java code with root-level privileges on affected devices.
Recommended Security Measures
To reduce exposure to these threats, Cisco has advised organisations to implement several security measures alongside installing patches. These include restricting access to management interfaces from unsecured networks, placing affected appliances behind firewalls, disabling the HTTP interface for the SD-WAN Manager web portal, and turning off unnecessary services such as HTTP or FTP if they are not required.
The company also recommends changing default administrator passwords and closely monitoring system logs for suspicious activity or unexpected traffic patterns.
As cyberattacks targeting network infrastructure continue to grow more sophisticated, security experts warn that timely patching and strict access controls remain critical for protecting enterprise networks from potential breaches.
