Cyber: Cisco Confirms Active Exploitation Of Two Catalyst Sd-wan Manager...

Cisco has disclosed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) have come under active exploitation in the wild.

Patches for the security defects, along with CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133, were released by Cisco late last month in the following versions -

"In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only," the networking equipment major said. The company did not elaborate on the scale of the activity and who may be behind it.

In light of active exploitation, users are recommended to update to a fixed software release as soon as possible, and take steps to limit access from unsecured networks, secure the appliances behind a firewall, disable HTTP for the Catalyst SD-WAN Manager web UI administrator portal, turn off network services like HTTP and FTP if not required, change the default administrator password, and monitor log traffic for any unexpected traffic to and from systems.

The disclosure comes a week after the company said a critical security flaw in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager (CVE-2026-20127, CVSS score: 10.0) has been exploited by a highly sophisticated cyber threat actor tracked as UAT-8616 to establish persistent footholds into high-value organizations.

This week, Cisco also released updates to address two maximum-severity security vulnerabilities in Secure Firewall Management Center (CVE-2026-20079 and CVE-2026-20131, CVSS scores: 10.0) that could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device.

Source: The Hacker News