Cisco’s SD-WAN Manager Under Active Attack: Urgent Patching Required

Cisco, a global leader in networking hardware, has issued a critical alert, confirming that two significant vulnerabilities within its Catalyst SD-WAN Manager (formerly SD-WAN vManage) are currently being actively exploited in the wild. This disclosure underscores the persistent and evolving threat landscape facing modern network infrastructures and necessitates immediate action from organizations utilizing these systems.

The Actively Exploited Flaws

The two vulnerabilities now under active attack pose distinct but serious risks:

CVE-2026-20122: Arbitrary File Overwrite (CVSS Score: 7.1)

This flaw allows an authenticated, remote attacker to overwrite arbitrary files on the local file system. While it requires valid read-only credentials with API access, successful exploitation could lead to severe system compromise, data manipulation, or denial of service by corrupting critical system files.

CVE-2026-20128: Information Disclosure (CVSS Score: 5.5)

An authenticated, local attacker could leverage this vulnerability to gain Data Collection Agent (DCA) user privileges on an affected system. This escalation of privilege, though requiring valid vManage credentials, could grant attackers deeper access and control over sensitive network data and configurations.

Broader Patching Efforts and Previous Incidents

These two actively exploited vulnerabilities are part of a larger set of security defects for which Cisco released patches late last month. Other patched CVEs include CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133. Organizations are urged to consult Cisco’s official advisories for specific version updates:

• Earlier than Version 20.91: Migrate to a fixed release.
• Version 20.9: Fixed in 20.9.8.2
• Version 20.11: Fixed in 20.12.6.1
• Version 20.12: Fixed in 20.12.5.3 and 20.12.6.1
• Version 20.13: Fixed in 20.15.4.2
• Version 20.14: Fixed in 20.15.4.2
• Version 20.15: Fixed in 20.15.4.2
• Version 20.16: Fixed in 20.18.2.1
• Version 20.18: Fixed in 20.18.2.1

This latest disclosure follows closely on the heels of another critical alert issued just a week prior. Cisco had then revealed that a maximum-severity flaw in Catalyst SD-WAN Controller and Manager (CVE-2026-20127, CVSS score: 10.0) was being exploited by a highly sophisticated cyber threat actor, UAT-8616, to establish persistent footholds in high-value organizations. The ongoing nature of these attacks highlights a concerted effort by malicious actors to target critical networking infrastructure.

Adding to the week’s security news, Cisco also released updates addressing two other maximum-severity vulnerabilities (CVE-2026-20079 and CVE-2026-20131, CVSS scores: 10.0) in its Secure Firewall Management Center. These flaws could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root, presenting another severe risk to network integrity.

Urgent Recommendations for Users

Given the confirmed active exploitation, Cisco strongly recommends that users take immediate action:

• Update Promptly: Migrate to a fixed software release as soon as possible.
• Limit Access: Restrict access from unsecured networks.
• Firewall Protection: Secure appliances behind a robust firewall.
• Disable Unnecessary Services: Turn off network services like HTTP and FTP if they are not strictly required.
• Secure Web UI: Disable HTTP for the Catalyst SD-WAN Manager web UI administrator portal.
• Change Defaults: Immediately change the default administrator password.
• Monitor Logs: Continuously monitor log traffic for any unexpected activity to and from your systems.

Staying vigilant and proactive in applying security updates and best practices is paramount in safeguarding critical network infrastructure against sophisticated cyber threats. For more exclusive content and timely updates, follow us on Google News, Twitter, and LinkedIn.

For more details, visit our website.

Source: Link