Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Cisco has disclosed multiple critical vulnerabilities affecting Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage), warning that two flaws, CVE-2026-20122 and CVE-2026-20128, are already being actively exploited in the wild. First identified on February 25, 2026, these Cisco vulnerabilities pose immediate risk to organizations running affected SD-WAN deployments and underscore the urgency of applying Cisco’s security updates to protect SD-WAN infrastructure.
CVE-2026-20122, the most critical actively exploited vulnerability, is an arbitrary file overwrite flaw that allows an authenticated attacker with limited read-only credentials and API access to overwrite arbitrary files via the Cisco Catalyst SD-WAN Manager API interface, potentially gaining elevated vManage privileges and altering system behavior. CVE-2026-20128, the second actively exploited vulnerability, exposes sensitive credential data associated with the Data Collection Agent (DCA), allowing attackers with valid credentials to retrieve stored DCA passwords and move laterally across SD-WAN Manager nodes.
Cisco also patched three additional vulnerabilities in the same security advisory: CVE-2026-20129, a critical authentication bypass vulnerability enabling remote attackers to gain netadmin role access; CVE-2026-20126, a privilege escalation vulnerability allowing low-privileged local attackers to elevate to root; and CVE-2026-20133, an information disclosure vulnerability enabling unauthenticated remote attackers to retrieve sensitive data from the underlying operating system. The confirmed real-world exploitation of CVE-2026-20122 and CVE-2026-20128 highlights an immediate risk for organizations running affected Cisco SD-WAN deployments.
Cisco has addressed multiple security flaws affecting the Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) and disclosed that two vulnerabilities, CVE-2026-20122 and CVE-2026-20128, are currently being actively exploited in the wild. The Cisco vulnerabilities span a range of impacts, potentially allowing attackers to compromise the SD-WAN management infrastructure if left unpatched.
CVE-2026-20122 is an arbitrary file overwrite vulnerability in Cisco Catalyst SD-WAN Manager caused by improper file handling within the API interface. An authenticated remote attacker with valid read-only credentials and API access can upload a malicious file that overwrites arbitrary files on the local file system of the SD-WAN Manager. By abusing this CVE-2026-20122 capability, the attacker can obtain vManage user privileges and potentially manipulate system behavior or introduce malicious components into the Cisco SD-WAN infrastructure.
Cisco confirmed in a March 2026 advisory that CVE-2026-20122 vulnerability is actively exploited in real-world attacks, making immediate patching of Cisco Catalyst SD-WAN Manager deployments critically urgent.
CVE-2026-20128 is an information disclosure vulnerability affecting the Data Collection Agent (DCA) feature in Cisco Catalyst SD-WAN Manager. The CVE-2026-20128 issue arises because a credential file associated with the DCA user is stored on the system with insufficient protection. An authenticated local attacker with valid vManage credentials can access the file to obtain the DCA password and then use those credentials to authenticate to other SD-WAN Manager nodes.
CVE-2026-20128 exploitation could enable lateral movement across the SD-WAN management plane within compromised Cisco environments. Cisco has confirmed that CVE-2026-20128 vulnerability is actively exploited in the wild, highlighting the critical importance of prompt patching to prevent credential theft and lateral movement.
CVE-2026-20129 is a critical authentication bypass vulnerability in the API user authentication component of Cisco Catalyst SD-WAN Manager. The CVE-2026-20129 flaw results from improper authentication handling for API requests, enabling a remote attacker to send a specially crafted API request and bypass authentication controls. Successful exploitation of CVE-2026-20129 allows the attacker to gain access to Cisco Catalyst SD-WAN Manager as a user with the netadmin role, providing administrative privileges.
CVE-2026-20126 is a privilege escalation vulnerability in Cisco Catalyst SD-WAN Manager caused by an insufficient authentication mechanism within the REST API. An attacker with low-privileged local access can exploit the CVE-2026-20126 flaw by sending a crafted request to the API, ultimately elevating privileges to root on the underlying operating system. CVE-2026-20126 exploitation provides complete control over the compromised SD-WAN Manager node.
CVE-2026-20133 is an information disclosure vulnerability in Cisco Catalyst SD-WAN Manager stemming from insufficient file system access restrictions within the platform. An unauthenticated remote attacker can interact with the system’s API to retrieve sensitive data from the underlying operating system through CVE-2026-20133 exploitation.
The disclosure of these Cisco Catalyst SD-WAN Manager vulnerabilities comes just a week after Cisco warned that a separate critical flaw (CVE-2026-20127) affecting Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager was exploited by the sophisticated threat actor UAT-8616 to establish persistent access within high-value organizations, demonstrating continued targeting of Cisco SD-WAN infrastructure by advanced threat actors.
Organizations running Cisco Catalyst SD-WAN Manager must prioritize upgrading to the fixed releases identified in Cisco’s security advisory. The recommended fixed Cisco versions are 20.9.8.2 for the 20.9 release train, 20.12.5.3 or 20.12.6.1 for the 20.12 train, 20.15.4.2 for releases 20.13 through 20.15, and 20.18.2.1 for releases 20.16 and 20.18. Active exploitation of CVE-2026-20128 and CVE-2026-20122 makes this upgrade critically time-sensitive, and organizations should treat this as an emergency patching activity. Consult the Cisco Catalyst SD-WAN Upgrade Matrix for planning guidance.
Prevent access to Cisco Catalyst SD-WAN Manager from unsecured networks, especially the internet. Deploy the SD-WAN management platform behind a filtering device such as a firewall and restrict access to known, trusted hosts only. A two-layer firewall architecture is recommended to ensure that end users do not connect directly to the outer DMZ, reducing the API attack surface for the unauthenticated vulnerabilities CVE-2026-20129 and CVE-2026-20133.
Given confirmed in-the-wild exploitation of CVE-2026-20122 and CVE-2026-20128, organizations should perform a thorough compromise assessment of their Cisco SD-WAN Manager infrastructure. Review all user accounts for unauthorized additions, inspect logs for anomalous API activity, and check for unexpected file modifications. Rotate all credentials associated with the SD-WAN Manager platform, including the default administrator password, vmanage user credentials, and DCA user passwords, as CVE-2026-20128 directly exposes stored DCA credentials.
Disable HTTP access for the Cisco Catalyst SD-WAN Manager web UI administrator portal and any other network services that are not operationally required, including HTTP and FTP. Reducing the service footprint limits the available attack surface for Cisco vulnerabilities, particularly for API-based exploitation vectors in CVE-2026-20122, CVE-2026-20129, and CVE-2026-20133. Ensure SSL/TLS is enforced for all remaining management communications using certificates obtained from a trusted certificate authority.
Establish continuous monitoring of API traffic to and from the Cisco SD-WAN Manager nodes, with alerts configured for unusual authentication patterns, file system modifications, and privilege escalation indicators. Logging should be forwarded to an external SIEM or syslog server to prevent log tampering by an attacker with root access obtained through CVE-2026-20126 exploitation. Retain logs for sufficient duration to support post-incident forensic analysis.
Multiple affected Cisco Catalyst SD-WAN Manager release trains have reached End of Software Maintenance. Organizations running these end-of-life releases should plan immediate migration to a supported release, as they will not receive future security updates. Continued operation on end-of-life Cisco software exposes the organization to cumulative risk from both current and future vulnerabilities.
Initial Access:
Execution:
Privilege Escalation:
Credential Access:
Lateral Movement:
Impact:
Resource Development:
Get through updates and upcoming events, and more directly in your inbox