Cisco Confirms Active Exploitation of Catalyst SD-WAN Manager Vulnerabilities
Cisco has recently confirmed that two vulnerabilities in its Catalyst SD-WAN Manager, formerly known as SD-WAN vManage, are being actively exploited in the wild. These vulnerabilities, identified as CVE-2026-20122 and CVE-2026-20128, pose significant security risks to affected systems.
Details of the Vulnerabilities:
1. CVE-2026-20122 (CVSS Score: 7.1): This vulnerability allows an authenticated, remote attacker with read-only API access to overwrite arbitrary files on the local file system. Exploitation requires valid read-only credentials with API access.
2. CVE-2026-20128 (CVSS Score: 5.5): This flaw enables an authenticated, local attacker to gain Data Collection Agent (DCA) user privileges on an affected system. Successful exploitation necessitates valid vManage credentials.
Cisco’s Response:
In response to these threats, Cisco has released patches addressing these vulnerabilities, along with others identified as CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133. The fixed software versions are as follows:
– Versions Earlier than 20.91: Users are advised to migrate to a fixed release.
– Version 20.9: Fixed in 20.9.8.2
– Version 20.11: Fixed in 20.12.6.1
– Version 20.12: Fixed in 20.12.5.3 and 20.12.6.1
– Version 20.13: Fixed in 20.15.4.2
– Version 20.14: Fixed in 20.15.4.2
– Version 20.15: Fixed in 20.15.4.2
– Version 20.16: Fixed in 20.18.2.1
– Version 20.18: Fixed in 20.18.2.1
Cisco’s Product Security Incident Response Team (PSIRT) became aware of the active exploitation of CVE-2026-20122 and CVE-2026-20128 in March 2026. The company has not disclosed the scale of these attacks or the identities of the perpetrators.
Recommendations for Users:
Given the active exploitation of these vulnerabilities, Cisco strongly recommends that users:
– Update Software: Immediately upgrade to the fixed software releases mentioned above.
– Limit Network Exposure: Restrict access from unsecured networks to minimize potential attack vectors.
– Implement Firewalls: Secure appliances behind firewalls to control and monitor incoming and outgoing traffic.
– Disable Unnecessary Services: Turn off network services such as HTTP and FTP if they are not required.
– Change Default Credentials: Update the default administrator password to a strong, unique password.
– Monitor Logs: Regularly review log traffic for any unexpected or suspicious activity.
Context and Background:
This disclosure follows Cisco’s recent acknowledgment of another critical security flaw, CVE-2026-20127 (CVSS score: 10.0), in its Catalyst SD-WAN Controller and Catalyst SD-WAN Manager. This vulnerability has been exploited by a sophisticated cyber threat actor known as UAT-8616 to establish persistent access within high-value organizations.
Additionally, Cisco has released updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center, identified as CVE-2026-20079 and CVE-2026-20131 (both with CVSS scores of 10.0). These flaws could allow unauthenticated, remote attackers to bypass authentication and execute arbitrary Java code as root on affected devices.
Conclusion:
The active exploitation of these vulnerabilities underscores the critical importance of timely software updates and robust security practices. Organizations utilizing Cisco’s SD-WAN solutions should prioritize applying the recommended patches and implementing the suggested security measures to safeguard their systems against potential threats.
