Cisco Flags Ongoing Exploitation of Two Recently Patched Catalyst SD-WAN Flaws
In a recent update to its security advisories, Cisco has warned that two recently patched vulnerabilities in its Catalyst SD-WAN Manager have been actively exploited in the wild. The networking giant is urging organizations to apply the latest security updates to reduce the risk of compromise.
The vulnerabilities in question are CVE-2026-20128 and CVE-2026-20122, both of which were recently patched by Cisco as part of its release of fixed software versions for Catalyst SD-WAN. The first vulnerability, CVE-2026-20128, exposes the Data Collection Agent feature, allowing a local authenticated attacker to gain privileges to access sensitive information and overwrite arbitrary files.
The second vulnerability, CVE-2026-20122, allows a remote authenticated attacker to overwrite arbitrary files through the SD-WAN Manager API and escalate privileges. Both vulnerabilities have been identified as critical and high-severity flaws that could allow attackers to access systems, gain root privileges, and compromise sensitive information.
Cisco first warned of these vulnerabilities in its security advisories in February 2026, but it was not until March 5 that the company updated its advisory to warn that two of them were already being exploited in the wild. The company has not shared details about the attacks exploiting this vulnerability, but is urging customers to upgrade to a fixed software release to remediate these vulnerabilities.
Additionally, Cisco has also warned of another critical SD-WAN vulnerability, tracked as CVE-2026-20127 (CVSS score of 10.0), that has been actively exploited since 2023. This flaw affects Catalyst SD-WAN Controller and Manager and allows remote, unauthenticated attackers to bypass authentication and gain full administrative access by sending a crafted request to vulnerable systems.
The vulnerability impacts all Cisco Catalyst SD-WAN deployments, regardless of configuration, and is considered highly sophisticated. The Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) has credited the discovery of this issue, and Cisco Talos tracks the exploitation as UAT-8616, a highly sophisticated threat actor active since at least 2023.
Investigations conducted by Cisco Talos have found that the group likely downgraded software to escalate privileges to root, exploited CVE-2022-20775, and then restored the original version to maintain stealthy root access. The campaign highlights the ongoing targeting of network edge devices to gain persistent access to high-value and critical infrastructure organizations.
Cisco is urging customers to apply the security updates immediately to reduce the risk of compromise. Customers running versions prior to 20.9.1 are advised to migrate to a patched release, and those who have already been compromised by this vulnerability should take immediate action to remediate the issue.
In conclusion, these recent vulnerabilities highlight the ongoing importance of regular software updates and patching in cybersecurity. Organizations must prioritize the security of their network edge devices to prevent unauthorized access and data breaches.