Cisco has confirmed that two security vulnerabilities in its Catalyst SD-WAN Manager software are being actively exploited in the wild, pushing administrators to upgrade affected systems without delay.
The company’s Product Security Incident Response Team (PSIRT) flagged the active exploitation in an update to a February 25 advisory. The two flaws in question are tracked as CVE-2026-20122, a high-severity arbitrary file overwrite vulnerability, and CVE-2026-20128, a medium-severity information disclosure flaw.
“Cisco strongly recommends that customers upgrade to a fixed software release to remediate these vulnerabilities,” the company stated, noting that the remaining CVEs covered in the same advisory show no signs of active exploitation.
What the Vulnerabilities Allow
CVE-2026-20122 can be exploited by remote attackers, but only those who already hold valid read-only credentials with API access. CVE-2026-20128 has a lower bar for remote exploitation but requires local access, specifically valid vmanage credentials on the targeted system.
Both flaws affect Catalyst SD-WAN Manager software regardless of device configuration. Catalyst SD-WAN Manager, formerly known as vManage, lets network administrators monitor and manage up to 6,000 SD-WAN devices from a single centralized interface.
A Broader Pattern of SD-WAN Exploitation
These disclosures follow a separate and more severe finding from last week, when Cisco flagged a critical authentication bypass vulnerability, CVE-2026-20127, as exploited in zero-day attacks. Sophisticated threat actors have reportedly abused that flaw since at least 2023, using it to compromise SD-WAN controllers and introduce rogue peers into targeted networks.
More Read
Those rogue peers allow attackers to insert devices that appear legitimate, creating pathways to move deeper inside compromised infrastructure.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by issuing Emergency Directive 26-03, requiring federal agencies to inventory their Cisco SD-WAN systems, gather forensic artifacts, apply available updates, and investigate any potential breaches connected to CVE-2026-20127 activity. UK authorities joined Cisco in disclosing the exploitation.
Firewall Software Also Under Fire
Separately, Cisco released patches on Wednesday for two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software. The first, CVE-2026-20079, is an authentication bypass that unauthenticated remote attackers can exploit to gain root access to the underlying operating system. The second, CVE-2026-20131, allows unauthenticated remote attackers to execute arbitrary Java code as root on unpatched systems.
Neither of the FMC vulnerabilities has been confirmed as actively exploited, but their maximum-severity rating places them at the top of any patching priority list.
- CVE-2026-20122: High-severity arbitrary file overwrite, active exploitation confirmed
- CVE-2026-20128: Medium-severity information disclosure, active exploitation confirmed
- CVE-2026-20127: Critical authentication bypass, exploited in zero-day attacks since at least 2023
- CVE-2026-20079: Maximum-severity FMC authentication bypass, not yet confirmed exploited
- CVE-2026-20131: Maximum-severity FMC remote code execution, not yet confirmed exploited
Cisco has not published technical indicators of compromise or detailed attribution for the ongoing SD-WAN attacks.
Photo by Kvistholt Photography on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
