Full Report
Cisco has flagged two more Catalyst SD-WAN Manager security flaws as actively exploited in the wild, urging administrators to upgrade vulnerable devices. [...]
Analysis Summary
# Vulnerability: Cisco Catalyst SD-WAN Manager Active Exploitation
## CVE Details
**1. Arbitrary File Overwrite**
- CVE ID: CVE-2026-20122
- CVSS Score: 8.8 (High)
- CWE: Not explicitly listed (Likely CWE-22 or CWE-73)
**2. Information Disclosure**
- CVE ID: CVE-2026-20128
- CVSS Score: Not specified (Medium)
- CWE: Information Disclosure
*Note: These are tracked alongside **CVE-2026-20127** (Critical Auth Bypass exploited since 2023).*
## Affected Systems
- **Products:** Cisco Catalyst SD-WAN Manager (formerly vManage).
- **Versions:** All software releases prior to fixed versions.
- **Configurations:** Vulnerable regardless of specific device configuration.
## Vulnerability Description
- **CVE-2026-20122:** An arbitrary file overwrite vulnerability that allows an attacker to modify or delete system files. This could lead to a permanent Denial of Service (DoS) or potentially influence the execution flow of the system.
- **CVE-2026-20128:** An information disclosure vulnerability that allows an attacker to access sensitive data and system information that should be restricted.
## Exploitation
- **Status:** **Exploited in the wild.** Cisco PSIRT confirmed active exploitation as of March 2026.
- **Complexity:**
- CVE-2026-20122: Medium (Requires valid read-only API credentials).
- CVE-2026-20128: Medium (Requires local vManage credentials).
- **Attack Vector:**
- CVE-2026-20122: Network (Remote via API).
- CVE-2026-20128: Local.
## Impact
- **Confidentiality:** High (for CVE-2026-20128)
- **Integrity:** High (for CVE-2026-20122)
- **Availability:** High (Potential system corruption via file overwrite)
## Remediation
### Patches
Cisco strongly recommends upgrading Catalyst SD-WAN Manager to a fixed release. Refer to the Cisco Security Advisory for specific version mappings.
- **Cisco Catalyst SD-WAN Manager:** Upgrade to the latest patched software release documented in the advisory.
### Workarounds
- No specific workarounds are provided. Remediation requires a full software upgrade to a fixed version.
- Limit API access to trusted users and monitor for unusual file modification activity.
## Detection
- **Indicators of Compromise:**
- Unexplained system file modifications or deletions.
- Presence of "rogue peers" or unauthorized controllers within the SD-WAN fabric.
- Log entries showing unusual read-only account activity via the API.
- **Detection methods and tools:**
- Per CISA Emergency Directive 26-03: Inventory all SD-WAN systems and ensure logs are offloaded to an external, secure storage for forensic audit.
- Verify the integrity of controllers to ensure no unauthorized malicious devices have been added to the network.
## References
- Cisco Security Advisory: [hXXps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v]
- CISA Emergency Directive 26-03: [hXXps://www[.]cisa[.]gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems]
- BleepingComputer Article: [hXXps://www[.]bleepingcomputer[.]com/news/security/cisco-flags-more-sd-wan-flaws-as-actively-exploited-in-attacks/]