Cisco has recently disclosed the active exploitation of two vulnerabilities in its Catalyst SD-WAN Manager, formerly known as SD-WAN vManage. These vulnerabilities, identified as CVE-2026-20122 and CVE-2026-20128, pose significant security risks to organizations utilizing this technology.
Understanding the Vulnerabilities
1. CVE-2026-20122 (CVSS Score: 7.1): This vulnerability allows an authenticated, remote attacker to overwrite arbitrary files on the local file system. Exploitation requires the attacker to have valid read-only credentials with API access on the affected system. By leveraging this flaw, an attacker could potentially disrupt system operations or introduce malicious code.
2. CVE-2026-20128 (CVSS Score: 5.5): This information disclosure vulnerability enables an authenticated, local attacker to gain Data Collection Agent (DCA) user privileges on an affected system. Exploitation necessitates valid vManage credentials. An attacker exploiting this vulnerability could access sensitive data, leading to potential information leaks or further system compromise.
Cisco’s Response and Recommendations
In response to these vulnerabilities, Cisco has released patches addressing CVE-2026-20122, CVE-2026-20128, as well as other related flaws (CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133). The fixed software versions are as follows:
– Versions Prior to 20.9.1: Users are advised to migrate to a fixed release.
– Version 20.9: Fixed in 20.9.8.2
– Version 20.11: Fixed in 20.12.6.1
– Version 20.12: Fixed in 20.12.5.3 and 20.12.6.1
– Versions 20.13, 20.14, 20.15: Fixed in 20.15.4.2
– Versions 20.16, 20.18: Fixed in 20.18.2.1
Given the active exploitation of these vulnerabilities, Cisco strongly recommends that users update to the appropriate fixed software release without delay. Additionally, organizations should implement the following security measures:
– Restrict Access: Limit access to the Catalyst SD-WAN Manager from unsecured networks.
– Firewall Protection: Position the appliances behind a firewall to prevent unauthorized access.
– Disable Unnecessary Services: Turn off network services such as HTTP and FTP if they are not required.
– Change Default Credentials: Update the default administrator password to a strong, unique password.
– Monitor Logs: Regularly review log traffic for any unexpected activity to and from the systems.
Broader Context of Cisco SD-WAN Vulnerabilities
These recent disclosures are part of a series of security challenges affecting Cisco’s SD-WAN solutions:
– CVE-2026-20127 (CVSS Score: 10.0): A critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, exploited by a sophisticated threat actor known as UAT-8616 since at least 2023. This flaw allows unauthenticated remote attackers to gain administrative privileges by sending crafted requests. Cisco has released patches to address this issue and urges users to update their systems promptly.
– CVE-2026-20182 (CVSS Score: 10.0): Another maximum-severity authentication bypass vulnerability in Catalyst SD-WAN Controller, actively exploited in limited attacks. This flaw enables unauthenticated remote attackers to bypass authentication and obtain administrative privileges. Cisco has released updates to mitigate this vulnerability and recommends immediate application of these patches.
Implications for Organizations
The active exploitation of these vulnerabilities underscores the critical importance of maintaining up-to-date systems and implementing robust security practices. Organizations relying on Cisco’s SD-WAN solutions should:
– Apply Patches Promptly: Ensure all systems are updated with the latest security patches to mitigate known vulnerabilities.
– Conduct Regular Security Audits: Perform comprehensive security assessments to identify and address potential weaknesses.
– Enhance Monitoring: Implement advanced monitoring tools to detect and respond to suspicious activities in real-time.
– Educate Staff: Provide ongoing cybersecurity training to employees to recognize and prevent potential threats.
Conclusion
The recent vulnerabilities in Cisco’s Catalyst SD-WAN Manager highlight the ever-evolving landscape of cybersecurity threats. By staying informed, applying timely updates, and adhering to best security practices, organizations can safeguard their networks against potential exploits and maintain the integrity of their systems.
