Cisco has revealed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly known as SD-WAN vManage) are being exploited in the wild.
The vulnerabilities in question are as follows.
CVE-2026-20122 (CVSS Score: 7.1) – Arbitrary file overwrite vulnerability could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. For successful exploitation, the attacker must have valid read-only credentials with API access on the affected system. CVE-2026-20128 (CVSS Score: 5.5) – Information disclosure vulnerability could allow an authenticated, local attacker to gain Data Collection Agent (DCA) user privileges on an affected system. Successful exploitation requires the attacker to have valid vManage credentials on the affected system.
Patches for security flaws in addition to CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133 were released by Cisco late last month in the following versions:
Versions prior to 20.91 – Migrate to fix release. Version 20.9 – Fixed in 20.9.8.2 Version 20.11 – Fixed in 20.12.6.1 Version 20.12 – Fixed in 20.12.5.3 and 20.12.6.1 Version 20.13 – Fixed in 20.15.4.2 Version 20.14 – Fixed in 20.15.4.2 Version 20.15 – Fixed in 20.15.4.2 Version 20.16 – Fixed in 20.18.2.1 Version 20.18 – Fixed in 20.18.2.1
“In March 2026, Cisco PSIRT became aware of active exploitation of the vulnerabilities listed exclusively in CVE-2026-20128 and CVE-2026-20122,” the network equipment giant said. The company did not elaborate on the scale of the operation or who was behind it.
Given the active exploitation, we recommend that users take steps to update to fixed software releases as soon as possible, restrict access from unsecured networks, secure the appliance behind a firewall, disable HTTP in the Catalyst SD-WAN Manager Web UI admin portal, turn off network services such as HTTP and FTP when not needed, change the default administrator password, and monitor log traffic for unexpected traffic to and from the system.
This disclosure comes one week after the company announced that a critical security flaw (CVE-2026-20127, CVSS score: 10.0) in Cisco Catalyst SD-WAN Controllers and Catalyst SD-WAN Manager was exploited by sophisticated cyber attackers, tracked as UAT-8616, to establish a persistent foothold in high-value organizations.
This week, Cisco also released updates that address two maximum severity security vulnerabilities (CVE-2026-20079 and CVE-2026-20131, CVSS score: 10.0) in Secure Firewall Management Center. This vulnerability could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device.
Source link
