Full Report
Switchzilla says flaws could allow file overwrites or privilege escalation Just when network admins thought the Cisco SD-WAN patch queue might finally be shrinking, Switchzilla has confirmed miscreants are exploiting more vulnerabilities in its SD-WAN management software.…
Analysis Summary
# Vulnerability: Cisco Catalyst SD-WAN Manager Exploitation (March 2026)
## CVE Details
**Vulnerability 1:**
- CVE ID: CVE-2026-20122
- CVSS Score: 7.1 (High)
- CWE: Arbitrary File Overwrite
**Vulnerability 2:**
- CVE ID: CVE-2026-20128
- CVSS Score: 5.5 (Medium)
- CWE: Information Disclosure / Privilege Escalation
## Affected Systems
- Products: Cisco Catalyst SD-WAN Manager (formerly known as vManage).
- Versions: All versions prior to the March 2026 security updates.
- Configurations: Systems running the SD-WAN management software interface.
## Vulnerability Description
**CVE-2026-20122:** An authentication bypass or insufficient validation flaw that allows an authenticated remote attacker to overwrite arbitrary files on the local filesystem. This could lead to system instability or the modification of critical configuration files.
**CVE-2026-20128:** An information disclosure vulnerability that enables an authenticated local attacker to gain the privileges of the Data Collection Agent (DCA) user. This allows the attacker to access sensitive data or perform actions restricted to the DCA service.
## Exploitation
- Status: **Exploited in the wild.** Cisco PSIRT confirmed active exploitation as of March 2026.
- Complexity: Low to Medium (requires authentication).
- Attack Vector:
- CVE-2026-20122: Network (Remote)
- CVE-2026-20128: Local
## Impact
- Confidentiality: Moderate (Information disclosure for CVE-2026-20128).
- Integrity: High (Arbitrary file overwrite for CVE-2026-20122).
- Availability: Moderate/High (Potential for system corruption via file overwrite).
## Remediation
### Patches
Cisco strongly recommends upgrading Catalyst SD-WAN Manager to a fixed software release. Users should consult the Cisco Software Central portal for the specific maintenance releases associated with their deployment branch (e.g., 20.x).
### Workarounds
No specific workarounds were provided in the initial advisory. Remediation requires a full software update to a patched version.
## Detection
- **Indicators of Compromise:** Cisco has not yet released specific IOCs (hashes or IPs) for these bugs, but noted they may be linked to broader campaigns targeting SD-WAN infrastructure.
- **Detection Methods:**
- Monitor for unauthorized file modifications on the SD-WAN Manager filesystem.
- Audit audit logs for unusual Data Collection Agent (DCA) user activity or privilege escalations.
- Check for the presence of "rogue peers" within the SD-WAN fabric, a tactic previously associated with related Cisco SD-WAN exploits (e.g., CVE-2026-20127).
## References
- Cisco Security Advisory: hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
- Cisco Talos Intelligence Blog: hxxps[://]talosintelligence[.]com/
- Five Eyes/NCSC Advisory on SD-WAN Targeting: hxxps[://]www[.]ncsc[.]gov[.]uk/