Cisco flags more SD-WAN flaws as actively exploited in attacks
Source: Bleeping Computer
Cisco flags additional SD‑WAN flaws
Cisco has flagged two additional Catalyst SD‑WAN Manager security flaws as actively exploited in the wild, urging administrators to upgrade vulnerable devices.
Catalyst SD‑WAN Manager (formerly vManage) is network‑management software that enables admins to monitor and manage up to 6,000 Catalyst SD‑WAN devices from a single centralized dashboard.
“In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE‑2026‑20128 and CVE‑2026‑20122 only,” the company warned.
”The vulnerabilities that are described in the other CVEs in this advisory are not known to have been compromised. Cisco strongly recommends that customers upgrade to a fixed software release to remediate these vulnerabilities.”
- CVE‑2026‑20122 – high‑severity arbitrary file overwrite. Exploitable only by remote attackers who possess valid read‑only API credentials.
- CVE‑2026‑20128 – medium‑severity information disclosure. Requires a local attacker with valid vManage credentials on the targeted system.
Cisco notes that these flaws affect Catalyst SD‑WAN Manager software regardless of device configuration.
SD‑WAN zero‑days exploited since 2023
Last week, Cisco disclosed that a critical authentication‑bypass vulnerability (CVE‑2026‑20127) has been exploited in zero‑day attacks since at least 2023. The flaw enables highly sophisticated threat actors to compromise controllers and add malicious rogue peers to targeted networks. These rogue peers appear legitimate, allowing attackers to move deeper into compromised environments.
Following joint advisories from U.S. and U.K. authorities, CISA issued Emergency Directive 26‑03, which requires federal agencies to:
- Inventory Cisco SD‑WAN systems.
- Collect forensic artifacts.
- Ensure external log storage.
- Apply the latest updates.
- Investigate potential compromises tied to attacks targeting CVE‑2026‑20127 and the older flaw CVE‑2022‑20775.
More recently, on Wednesday Cisco released security updates that patch two maximum‑severity vulnerabilities in its Secure Firewall Management Center (FMC) software:
- CVE‑2026‑20079 – authentication bypass.
- CVE‑2026‑20131 – remote code execution (RCE) that allows unauthenticated attackers to execute arbitrary Java code as root on unpatched devices.
Both flaws can be exploited remotely, granting attackers root‑level access to the underlying operating system.