Cisco has revealed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) have come under active exploitation in the wild.
The vulnerabilities in question are listed below –
- CVE-2026-20122 (CVSS Score: 7.1) – An arbitrary file overwrite vulnerability that could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. Successful exploitation requires the attacker to have valid read-only credentials with API access on the affected system.
- CVE-2026-20128 (CVSS Score: 5.5) – An information disclosure vulnerability that could allow an authenticated, local attacker to gain Data Collection Agent (DCA) user privileges on an affected system. Successful exploitation requires the attacker to have valid vManage credentials on the affected system.
Patches for the security flaws with CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133 were released by Cisco late last month in the following versions –
- Before version 20.91 – Migrate to a fixed release.
- Version 20.9 – Fixed in 20.9.8.2
- Fixed in version 20.11 – 20.12.6.1
- Version 20.12 – Fixed in 20.12.5.3 and 20.12.6.1
- Version 20.13 – Fixed in 20.15.4.2
- Version 20.14 – Fixed in 20.15.4.2
- Version 20.15 – Fixed in 20.15.4.2
- Version 20.16 – Fixed in 20.18.2.1
- Version 20.18 – Fixed in 20.18.2.1
“In March 2026, Cisco PSIRT became aware of active exploitation of the vulnerabilities described only in CVE-2026-20128 and CVE-2026-20122,” the networking equipment major said. The company did not elaborate on the scale of the activity or who might be behind it.
In light of the active exploit, users are advised to update to a fixed software release as soon as possible, and take steps to limit access from unsecured networks, secure devices behind firewalls, disable HTTP for the Catalyst SD-WAN Manager Web UI Administrator Portal, turn off network services such as HTTP and FTP when not needed, change the default administrator password, and monitor log traffic for any unexpected traffic to and from the system Goes.
The disclosure comes a week after the company said that a critical security flaw in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager (CVE-2026-20127, CVSS score: 10.0) has been exploited by a highly sophisticated cyber threat actor tracked as UAT-8616 to gain a steady foothold in high-value organizations.
This week, Cisco also released updates to address two maximum-severe security vulnerabilities in Secure Firewall Management Center (CVE-2026-20079 and CVE-2026-20131, CVSS score: 10.0), which could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device.
