Cisco Identifies Additional Vulnerabilities in SD-WAN Targeted by Cyber Attacks

Cisco has identified two new security vulnerabilities in Catalyst SD-WAN Manager that are actively being exploited, prompting administrators to update vulnerable devices for enhanced protection.

Catalyst SD-WAN Manager, previously known as vManage, is a network management tool that allows administrators to oversee and control up to 6,000 Catalyst SD-WAN devices from a centralized dashboard.

“In March 2026, Cisco’s Product Security Incident Response Team (PSIRT) discovered ongoing exploitation of vulnerabilities outlined in CVE-2026-20128 and CVE-2026-20122,” the company cautioned in an update to a previous advisory dated February 25.

“None of the other vulnerabilities mentioned in this advisory have been reported as compromised. Cisco strongly advises customers to update to a patched software version to address these vulnerabilities.”

The high-severity arbitrary file overwrite vulnerability (CVE-2026-20122) can only be leveraged by remote attackers with valid read-only credentials and API access, while the medium-severity information disclosure flaw (CVE-2026-20128) necessitates local attackers to possess valid vmanage credentials on the targeted systems.

Cisco emphasized that these vulnerabilities impact Catalyst SD-WAN Manager software across all device configurations.

Exploitation of SD-WAN Zero-Days Since 2023

Recently, the company disclosed that a critical authentication bypass vulnerability (CVE-2026-20127) has been exploited in zero-day attacks since at least 2023, enabling sophisticated threat actors to compromise controllers and introduce malicious rogue peers into targeted networks.

These rogue peers allow attackers to insert seemingly legitimate malicious devices, granting them deeper access into compromised networks.

Following joint warnings by U.S. and U.K. authorities regarding exploitation activities, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 26-03 mandating federal agencies to inventory Cisco SD-WAN systems, gather forensic evidence, ensure external log storage, apply updates, and investigate potential compromises linked to attacks targeting CVE-2026-20127 and an older vulnerability known as CVE-2022-20775.

Furthermore, Cisco recently released security updates to address two critical vulnerabilities in its Secure Firewall Management Center (FMC) software.

These security flaws, an authentication bypass vulnerability (CVE-2026-20079) and a remote code execution (RCE) vulnerability (CVE-2026-20131), can be exploited remotely by unauthenticated attackers to gain root access to the underlying operating system and execute arbitrary Java code as root on unpatched devices, respectively.

Malware tactics are evolving. The Red Report 2026 uncovers how new threats utilize mathematical algorithms to evade detection in sandboxes and remain undetected.

Access our analysis of 1.1 million malicious samples to discover the top 10 techniques and assess the effectiveness of your security measures.

Download The Report