Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities
Cisco confirms two security vulnerabilities CVE-2026-20122 and CVE-2026-20128 in its Catalyst SD-WAN Manager product are being actively exploited by attackers; patches have been released.
March 2026 — Cisco released a security advisory confirming that two security vulnerabilities in its Catalyst SD-WAN Manager product (formerly known as vManage) are being actively exploited by attackers. The two vulnerabilities are CVE-2026-20122 and CVE-2026-20128, with patches released in late February 2025.
Vulnerability Details
Both vulnerabilities exist in Cisco Catalyst SD-WAN Manager:
CVE-2026-20122 (CVSS score: 7.1): This is an arbitrary file overwrite vulnerability that could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system.
CVE-2026-20128: This is an authentication bypass vulnerability that could allow an unauthenticated attacker to gain unauthorized access to the system.
Cisco released relevant patches covering multiple software versions in late February 2025. However, security researchers recently discovered these vulnerabilities are being exploited in actual attacks.
Impact Scope
Catalyst SD-WAN Manager is the core component of enterprise-grade software-defined wide area network solutions, widely used in large enterprise network architectures. Attackers who successfully exploit these vulnerabilities could:
Gain unauthorized access to the SD-WAN management plane
Overwrite system configuration files
Laterally move within the infected network
Steal network traffic data
Gain unauthorized access to the SD-WAN management plane
Overwrite system configuration files
Laterally move within the infected network
Steal network traffic data
Cisco's Response
Cisco has released updated patches fixing the aforementioned vulnerabilities. The company strongly recommends all customers using Catalyst SD-WAN Manager immediately update to the latest version and check system logs for signs of possible intrusion.
"We have confirmed these vulnerabilities are being actively exploited," Cisco said in its security advisory. "All customers must take immediate action to ensure their systems are updated to the latest version."
How Enterprises Should Respond
Security experts recommend enterprises take the following measures:
Immediate Update: Update all Catalyst SD-WAN Manager instances to the latest patched version
Check Logs: Review system logs for signs of anomalous activity
Limit Access: Ensure the management interface is only accessible from authorized IP addresses
Monitor Traffic: Closely monitor network traffic to identify anomalous patterns
Immediate Update: Update all Catalyst SD-WAN Manager instances to the latest patched version
Check Logs: Review system logs for signs of anomalous activity
Limit Access: Ensure the management interface is only accessible from authorized IP addresses
Monitor Traffic: Closely monitor network traffic to identify anomalous patterns