Ethical Hacking News
Cisco has disclosed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) have come under active exploitation in the wild, highlighting the importance of keeping software up-to-date and applying patches in a timely manner. To learn more about this vulnerability and how to protect against it, please read our latest article on The Hacker News.
Cisco has disclosed two new vulnerabilities affecting Catalyst SD-WAN Manager, which are currently under active exploitation in the wild. The first vulnerability (CVE-2026-20122) allows an authenticated, remote attacker to overwrite arbitrary files on the local file system without administrative privileges. The second vulnerability (CVE-2026-20128) allows an authenticated, local attacker to gain Data Collection Agent user privileges on an affected system without administrative privileges. Cisco has released patches for several versions of its SD-WAN Manager software to address these vulnerabilities and two others. Users are recommended to apply patches and take additional steps to protect their systems, such as disabling HTTP, changing default passwords, and monitoring log traffic.
Cisco has recently disclosed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) have been found to be under active exploitation in the wild. This is a significant development for organizations that rely on this software for their network management needs.
The first vulnerability, CVE-2026-20122, is classified as an arbitrary file overwrite vulnerability. According to Cisco, this vulnerability allows an authenticated, remote attacker to overwrite arbitrary files on the local file system. The attacker does not need to have administrative privileges or access to the underlying operating system to exploit this vulnerability. Successful exploitation of this vulnerability requires the attacker to have valid read-only credentials with API access on the affected system.
The second vulnerability, CVE-2026-20128, is classified as an information disclosure vulnerability. This vulnerability allows an authenticated, local attacker to gain Data Collection Agent (DCA) user privileges on an affected system. The attacker does not need to have administrative privileges or access to the underlying operating system to exploit this vulnerability. Successful exploitation of this vulnerability requires the attacker to have valid vManage credentials on the affected system.
In response to these vulnerabilities, Cisco has released patches for several versions of its SD-WAN Manager software. These patches address CVE-2026-20122, CVE-2026-20128, and CVE-2026-20126, as well as two other previously disclosed vulnerabilities, CVE-2026-20129 and CVE-2026-20133.
The patches are available for versions earlier than 20.91, as well as several specific patch levels of later versions of the software. For example, patch level 8.2 is available for version 20.9, while patch level 6.1 is available for version 20.12.
In addition to applying these patches, Cisco recommends that users take additional steps to protect their SD-WAN Manager systems from exploitation. These include disabling HTTP for the Catalyst SD-WAN Manager web UI administrator portal, turning off network services like HTTP and FTP if not required, changing the default administrator password, and monitoring log traffic for any unexpected traffic to and from systems.
It's worth noting that these vulnerabilities were disclosed by Cisco just last month in March 2026. This comes on the heels of a previously disclosed vulnerability, CVE-2026-20127, which was exploited by a highly sophisticated cyber threat actor tracked as UAT-8616 to establish persistent footholds into high-value organizations.
The exploitation of these vulnerabilities is a significant concern for organizations that rely on SD-WAN Manager software for their network management needs. It highlights the importance of keeping software up-to-date and applying patches in a timely manner.
In conclusion, the active exploitation of two vulnerabilities affecting Catalyst SD-WAN Manager software by sophisticated threat actors is a serious development for organizations that rely on this software. Cisco's disclosure of these vulnerabilities and its recommended steps to protect against exploitation are crucial for mitigating the risk of these attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Cisco-SD-WAN-Manager-Vulnerabilities-Active-Exploitation-by-Sophisticated-Threat-Actors-ehn.shtml
https://thehackernews.com/2026/03/cisco-confirms-active-exploitation-of.html
https://www.bleepingcomputer.com/news/security/cisco-flags-more-sd-wan-flaws-as-actively-exploited-in-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2026-20122
https://www.cvedetails.com/cve/CVE-2026-20122/
https://nvd.nist.gov/vuln/detail/CVE-2026-20126
https://www.cvedetails.com/cve/CVE-2026-20126/
https://nvd.nist.gov/vuln/detail/CVE-2026-20128
https://www.cvedetails.com/cve/CVE-2026-20128/
https://nvd.nist.gov/vuln/detail/CVE-2026-20129
https://www.cvedetails.com/cve/CVE-2026-20129/
https://nvd.nist.gov/vuln/detail/CVE-2026-20133
https://www.cvedetails.com/cve/CVE-2026-20133/
https://nvd.nist.gov/vuln/detail/CVE-2026-20127
https://www.cvedetails.com/cve/CVE-2026-20127/
Published: Thu Mar 5 11:58:38 2026 by llama3.2 3B Q4_K_M
