Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities - The Hacker News

Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities Ravie LakshmananMar 05, 2026Vulnerability / Enterprise Security Cisco has disclosed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) have come under active exploitation in the wild. The vulnerabilities in question are listed below - CVE-2026-20122 (CVSS score: 7.1) - An arbitrary file overwrite vulnerability that could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. Successful exploitation requires the attacker to have valid read-only credentials with API access on the affected system. CVE-2026-20128 (CVSS score: 5.5) - An information disclosure vulnerability that could allow an authenticated, local attacker to gain Data Collection Agent (DCA) user privileges on an affected system. Successful exploitation requires the attacker to have valid vManage credentials on the affected system. Patches for the security defects, along with CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133, were released by Cisco late last month in the following versions - Earlier than Version 20.91 - Migrate to a fixed release. Version 20.9 - Fixed in 20.9.8.2 Version 20.11 - Fixed in 20.12.6.1 Version 20.12 - Fixed in 20.12.5.3 and 20.12.6.1 Version 20.13 - Fixed in 20.15.4.2 Version 20.14 - Fixed in 20.15.4.2 Version 20.15 - Fixed in 20.15.4.2 Version 20.16 - Fixed in 20.18.2.1 Version 20.18 - Fixed in 20.18.2.1 "In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only," the networking equipment major said. The company did not elaborate on the scale of the activity and who may be behind it. In light of active exploitation, users are recommended to update to a fixed software release as soon as possible, and take steps to limit access from unsecured networks, secure the appliances behind a firewall, disable HTTP for the Catalyst SD-WAN Manager web UI administrator portal, turn off network services like HTTP and FTP if not required, change the default administrator password, and monitor log traffic for any unexpected traffic to and from systems. The disclosure comes a week after the company said a critical security flaw in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager (CVE-2026-20127, CVSS score: 10.0) has been exploited by a highly sophisticated cyber threat actor tracked as UAT-8616 to establish persistent footholds into high-value organizations. The pace of the exploitation efforts have since escalated quickly. Ryan Dewhurst, watchTowr's head of proactive threat intelligence Ryan Dewhurst, told The Hacker News that the preemptive exposure management platform has witnessed attack attempts from numerous unique IP addresses and observed threat actors deploying web shells. "The largest spike in activity occurred on March 4, with attacks widely spread across various regions worldwide, and U.S.-based areas saw slightly higher activity than others," Dewhurst added. "We expect activity to continue as part of the typical long tail of exploitation, as more threat actors become involved. With mass and opportunistic exploitation at play, any exposed system should be considered compromised until proven otherwise." This week, Cisco also released updates to address two maximum-severity security vulnerabilities in Secure Firewall Management Center (CVE-2026-20079 and CVE-2026-20131, CVSS scores: 10.0) that could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device. (The story was updated after publication on March 9, 2026, to clarify that the exploitation activity detected by watchTowr targeted CVE-2026-20127, and not CVE-2026-20122 and CVE-2026-20128 as previously stated.) Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cisco, cybersecurity, enterprise security, exploitation, network security, privilege escalation, SD-WAN, Vulnerability Trending News ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Load More ▼ Popular Resources Fix Security Noise by Focusing Only on Validated Exposures Get the 2026 ASV Report to Benchmark Top Validation Tools Guide - Discover How to Validate AI Risks With Adversarial Testing Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA