Full Report
CISA gives federal agencies 4 days to patch America's lead cyber-defense agency has warned that three Cisco Catalyst SD-WAN Manager bugs are under attack, and given federal agencies just four days to patch the security holes.…
Analysis Summary
# Vulnerability: Cisco Catalyst SD-WAN Manager Multiple Vulnerabilities
## CVE Details
- **CVE ID:** CVE-2026-20128, CVE-2026-20133, CVE-2026-20122
- **CVSS Score:** Not specified in text (Note: CISA KEV inclusion implies high/critical impact)
- **CWE:**
- CVE-2026-20128/20133: Information Disclosure
- CVE-2026-20122: Arbitrary File Overwrite
## Affected Systems
- **Products:** Cisco Catalyst SD-WAN Manager (formerly vManage)
- **Versions:** Specific vulnerable versions are managed via Cisco's February 2026 security advisory.
- **Configurations:** Systems with the Data Collection Agent (DCA) feature enabled (CVE-2026-20128) or those with API access enabled (CVE-2026-20122).
## Vulnerability Description
- **CVE-2026-20128:** An information disclosure vulnerability in the Data Collection Agent (DCA) feature. It stems from improper access controls, allowing an unauthenticated user to gain DCA user privileges.
- **CVE-2026-20133:** An information disclosure flaw that allows remote, unauthenticated attackers to view sensitive system information.
- **CVE-2026-20122:** An arbitrary file overwrite vulnerability. An authenticated attacker with read-only API credentials can upload malicious files to overwrite local system files, leading to an escalation to vManage user privileges.
## Exploitation
- **Status:** **Exploited in the wild.** (CISA added to KEV catalog; Cisco PSIRT confirmed active exploitation of CVE-2026-20128 and CVE-2026-20122).
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Unauthorized access to sensitive data and DCA privileges)
- **Integrity:** High (Ability to overwrite arbitrary local files)
- **Availability:** High (Potential for system instability or takeover)
## Remediation
### Patches
Cisco released patches for all three vulnerabilities in late February 2026. Admins should verify their version against the official advisory:
- **Cisco Catalyst SD-WAN Manager:** Versions containing the February 2026 fixes.
### Workarounds
- No specific workarounds were provided in the article; Cisco recommends immediate software updates due to active exploitation.
- Restrict API access to trusted networks/users to mitigate CVE-2026-20122.
## Detection
- **Indicators of Compromise:** Look for unauthorized file modifications in the vManage environment and unusual API calls from read-only accounts.
- **Detection methods and tools:** Monitor logs for unauthenticated access attempts to the Data Collection Agent (DCA) ports/services.
## References
- **Vendor Advisories:** hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Original Article:** hxxps[://]www[.]theregister[.]com/2026/04/21/cisco_sdwan_vulnerabilities_cisa/