Cyber: Cisco flags more SD-WAN flaws as actively exploited in attacks
Cisco has flagged two Catalyst SD-WAN Manager security flaws as actively exploited in the wild, urging administrators to upgrade vulnerable devices.
Catalyst SD-WAN Manager (formerly vManage) is network management software that enables admins to monitor and manage up to 6,000 Catalyst SD-WAN devices from a single centralized dashboard.
"In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only," the company warned in an update to a February 25 advisory.
"The vulnerabilities that are described in the other CVEs in this advisory are not known to have been compromised. Cisco strongly recommends that customers upgrade to a fixed software release to remediate these vulnerabilities."
The high-severity arbitrary file overwrite vulnerability (CVE-2026-20122) can only be exploited by remote attackers with valid read-only credentials with API access, while the medium-severity information disclosure flaw (CVE-2026-20128) requires local attackers to have valid vmanage credentials on the targeted systems.
Cisco added that these vulnerabilities affect Catalyst SD-WAN Manager software, regardless of device configuration.
Last week, the company also tagged a critical authentication bypass vulnerability (CVE-2026-20127) as exploited in zero-day attacks, enabling highly sophisticated threat actors to compromise controllers and add malicious rogue peers to targeted networks since at least 2023.
These rogue peers allow attackers to insert legitimate-looking malicious devices, enabling them to move deeper into compromised networks.
