Close Menu
    Cybersecurity

    Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild

    adminBy No Comments2 Mins Read
    Cisco vulnerability patches

    Cisco is warning customers that two recently patched Catalyst SD-WAN vulnerabilities are being exploited in the wild. 

    The networking giant informed customers on February 25 about the availability of patches for five Catalyst SD-WAN flaws, including critical and high-severity issues that can be exploited to access vulnerable systems and elevate privileges to root. 

    Cisco updated its advisory on March 5 to warn that it has become aware of active exploitation for two of the five vulnerabilities: CVE-2026-20128 and CVE-2026-20122.

    CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature of Catalyst SD-WAN Manager, allowing an authenticated, local attacker to gain DCA user privileges on the targeted system.

    CVE-2026-20122 is an arbitrary file overwrite bug affecting the API of the Catalyst SD-WAN Manager. It allows a remote, authenticated attacker to overwrite arbitrary files on the system and gain elevated privileges.

    Cisco has not shared any details on the attacks exploiting these vulnerabilities, but its description indicates they have been chained with other flaws.

    Advertisement. Scroll to continue reading.

    The company’s announcement comes roughly a week after it warned customers that a critical zero-day vulnerability affecting Catalyst SD-WAN has been exploited in the wild. 

    Tracked as CVE-2026-20127, that security hole can be exploited remotely to bypass authentication and obtain admin privileges on a vulnerable device.

    CISA and other cybersecurity agencies reported that CVE-2026-20127 has been chained with an older Catalyst vulnerability, CVE-2022-20775, to bypass authentication, escalate privileges, and establish persistence on the targeted system.

    Cisco Talos linked those attacks to UAT-8616, a highly sophisticated threat actor that has been active since at least 2023. 

    It’s unclear if all of these Catalyst SD-WAN vulnerabilities have been exploited in the same or different campaigns. 

    Cisco also warned recently about zero-day attacks conducted by a China-linked APT tracked as UAT-9686.

    Related: Cisco Patches Critical Vulnerabilities in Enterprise Networking Products

    Related: Cisco, F5 Patch High-Severity Vulnerabilities

    Related: Hackers Targeting Cisco Unified CM Zero-Day

    Share.

    Related Posts

    Add A Comment
    Leave A Reply