Cisco has confirmed the active exploitation of two vulnerabilities affecting its Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage), raising concerns for organizations that depend on the platform to manage enterprise network infrastructure. The vulnerabilities, identified as CVE-2026-20122 and CVE-2026-20128, could allow attackers with limited credentials to compromise affected systems.
The first flaw, CVE-2026-20122 with a CVSS score of 7.1, is an arbitrary file overwrite vulnerability that could enable an authenticated remote attacker with read-only API access to overwrite files on the local file system. The second vulnerability, CVE-2026-20128 (CVSS 5.5), is an information disclosure flaw that could allow a local authenticated attacker to gain Data Collection Agent (DCA) user privileges.
Cisco has already released patches addressing these issues along with additional vulnerabilities including CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133. Fixes are available in updated software versions such as 20.9.8.2, 20.12.6.1, 20.12.5.3, 20.15.4.2, and 20.18.2.1, depending on the version deployed.
According to Cisco’s Product Security Incident Response Team (PSIRT), the company became aware of the exploitation activity in March 2026, although details regarding the scale of attacks and the threat actors involved have not been disclosed.
Security researchers have observed increased activity targeting vulnerable systems. Ryan Dewhurst, head of proactive threat intelligence at watchTowr, noted that exploitation attempts were detected from numerous IP addresses worldwide, with attackers deploying web shells to maintain access. The most significant spike occurred on March 4, with slightly higher activity recorded in the United States.
Cisco has urged organizations to immediately upgrade to patched versions and strengthen security measures. Recommended actions include restricting access from unsecured networks, placing SD-WAN systems behind firewalls, disabling unnecessary services such as HTTP and FTP, updating default credentials, and monitoring network logs for suspicious activity.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
