Cisco has confirmed that two security vulnerabilities affecting Cisco Catalyst SD-WAN Manager (previously known as SD-WAN vManage) are currently being exploited in real-world attacks.
The vulnerabilities identified by Cisco are CVE-2026-20122 and CVE-2026-20128, both of which impact organizations using the SD-WAN management platform.
Details of the Exploited Vulnerabilities
The first issue, CVE-2026-20122, carries a CVSS score of 7.1 and allows an authenticated remote attacker to overwrite arbitrary files on the local system. To successfully exploit this vulnerability, the attacker must already possess valid read-only credentials with API access.
The second flaw, CVE-2026-20128, has a CVSS score of 5.5 and enables an authenticated local attacker to obtain Data Collection Agent (DCA) user privileges on the targeted system. This attack requires valid vManage login credentials.
According to Cisco’s Product Security Incident Response Team (PSIRT), active exploitation of these vulnerabilities was detected in March 2026. However, the company did not disclose the identity of the threat actors or the overall scale of the attacks.
Evidence of Ongoing Attacks
Security researchers from watchTowr observed multiple exploitation attempts originating from numerous IP addresses across the globe. During these attacks, threat actors were seen deploying web shells on compromised systems.
Researchers reported that the most significant surge in malicious activity occurred on March 4, with attacks distributed across multiple geographic regions. Systems located in the United States experienced slightly higher levels of attack traffic compared to other areas.
Experts believe that exploitation activity may continue as additional threat actors begin targeting vulnerable systems. Because many attacks are opportunistic and automated, exposed devices should be treated as compromised until proven otherwise.
Security Patches and Affected Versions
Cisco released patches for the vulnerabilities last month alongside fixes for other related flaws including CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133.
The corrected versions include:
- Versions earlier than 20.9.1, migration to a patched release required
- Version 20.9 fixed in 20.9.8.2
- Version 20.11 fixed in 20.12.6.1
- Version 20.12 fixed in 20.12.5.3 and 20.12.6.1
- Version 20.13 fixed in 20.15.4.2
- Version 20.14 fixed in 20.15.4.2
- Version 20.15 fixed in 20.15.4.2
- Version 20.16 fixed in 20.18.2.1
- Version 20.18 fixed in 20.18.2.1
Recommended Security Measures
Due to the active exploitation, Cisco strongly advises organizations to immediately update their systems to patched versions. Additional protective steps include restricting access from untrusted networks, placing management systems behind firewalls, disabling unnecessary services such as HTTP and FTP, and changing default administrator passwords.
Security teams are also encouraged to monitor network and system logs for any unusual activity that could indicate compromise.
Related Critical Vulnerabilities
This warning follows a recent disclosure where CVE-2026-20127, a critical vulnerability with a CVSS score of 10.0, was exploited by a sophisticated threat group known as UAT-8616 to gain persistent access to high-value targets.
Additionally, Cisco recently addressed two maximum severity vulnerabilities affecting Secure Firewall Management Center, tracked as CVE-2026-20079 and CVE-2026-20131. These flaws could allow unauthenticated attackers to bypass authentication and execute arbitrary Java code with root privileges on vulnerable devices.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
