Cisco has issued a warning regarding two vulnerabilities in its SD-WAN management software that are under active exploitation. These flaws impact the Cisco Catalyst SD-WAN Manager, previously known as vManage, which is integral to many organizations’ SD-WAN setups.
Details of the Vulnerabilities
The first vulnerability, identified as CVE-2026-20122, has a CVSS score of 7.1. It allows an authenticated remote attacker to overwrite arbitrary files on the local filesystem. The second vulnerability, CVE-2026-20128, is rated lower with a CVSS score of 5.5 and could enable an authenticated local attacker to gain Data Collection Agent (DCA) user privileges on the affected system.
Current Exploitation Status
Cisco’s Product Security Incident Response Team (PSIRT) reported that these vulnerabilities are being actively exploited as of March 2026. The company stated, “In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only.” However, Cisco has not provided specific details on how these vulnerabilities are being exploited or the identity of the attackers.
Context of the Threat
This warning follows a recent alert from the Five Eyes intelligence alliance, which indicated that attackers were targeting Cisco’s Catalyst SD-WAN infrastructure using two other vulnerabilities: CVE-2022-20775, a path traversal flaw, and CVE-2026-20127, a critical authentication issue. The National Cyber Security Centre in the UK noted that these cyber threat actors are compromising SD-WAN deployments globally, potentially leading to unauthorized access and persistent control over affected systems.
Recommendations for Users
Cisco has strongly recommended that customers upgrade to a fixed software release to mitigate these vulnerabilities. While the company has acknowledged the active exploitation of these flaws, it has not provided indicators of compromise or specific attack details, leaving some aspects of the situation unclear.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
