Cisco has confirmed that two Catalyst SD-WAN Manager vulnerabilities (CVE-2026-20128 and CVE-2026-20122) patched in late February 2025 are being exploited by attackers.
The exploited vulnerabilities (CVE-2026-20128, CVE-2026-20122)
CVE-2026-20128 is a bug in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager, which could allow an authenticated, local attacker to gain DCA user privileges on an affected system.
“To exploit this vulnerability, the attacker must have valid vmanage credentials on the affected system,” Cisco explained.
“This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by accessing the filesystem as a low-privileged user and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges.”
CVE-2026-20122 affects the solution’s API. If successfully exploited by authenticated, remote attackers, it allows them to overwrite arbitrary files on the affected system and gain vmanage user privileges.
Arthur Vidineyev of the Cisco Advanced Security Initiatives Group has been credited with uncovering these flaws, as well as three additional ones covered by the same advisory.
“Cisco strongly recommends that customers upgrade to a fixed software release to remediate these vulnerabilities,” the company added in the updated advisory.
The company did not share specific details about in-the-wild CVE-2026-20128 and CVE-2026-20122 exploitation, or whether these flaws are being leveraged by the “highly sophisticated” cyber threat actor whose activities were disclosed a week ago.
That threat actor exploited CVE-2026-20127 – a zero-day authentication bypass vulnerability – to “log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account,” and that use that access to “manipulate network configuration for the SD-WAN fabric.”
More fixes for Cisco security solutions
Also today, Cisco fixed 48 vulnerabilities in Cisco Secure Firewall ASA, Secure FMC, and Secure FTD Software.
While most of these are medium-severity, two have received a maximum severity score:
- CVE-2026-20079, an authentication bypass flaw in Cisco Secure Firewall Management Center Software, and
- CVE-2026-20131, a remote code execution vulnerability in the same software
The first one can be exploited by sending crafted HTTP requests to an affected device, and the latter by sending a crafted serialized Java object to the web-based management interface of an affected device.
The Dutch National Cyber Security Center said that it expects a public PoC for and large-scale attempts at abuse of these flaws in the short term, and urged admins to upgrade to a fixed version of the software as soon as possible.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
