Cisco SD-WAN Manager Vulnerabilities Exploited in 2026
Executive Summary
In March 2026, Cisco disclosed active exploitation of two vulnerabilities in its Catalyst SD-WAN Manager: CVE-2026-20122 and CVE-2026-20128. CVE-2026-20122 allows authenticated remote attackers with read-only API access to overwrite arbitrary files on the local file system, potentially escalating privileges. CVE-2026-20128 enables authenticated local attackers to access credential files, granting Data Collection Agent (DCA) user privileges. These vulnerabilities affect multiple versions of the software, with patches released in late February 2026. Organizations are urged to update to fixed releases promptly to mitigate risks. (cisco.com)
The active exploitation of these vulnerabilities underscores the critical need for timely software updates and robust access controls. As attackers increasingly target network infrastructure components, organizations must prioritize patch management and monitor for unusual activities to prevent unauthorized access and potential data breaches.
Why This Matters Now
The active exploitation of these vulnerabilities underscores the critical need for timely software updates and robust access controls. As attackers increasingly target network infrastructure components, organizations must prioritize patch management and monitor for unusual activities to prevent unauthorized access and potential data breaches.
Attack Path Analysis
An attacker with valid read-only API credentials exploited a file overwrite vulnerability in Cisco Catalyst SD-WAN Manager to gain vmanage user privileges. Subsequently, the attacker accessed a credential file for the Data Collection Agent (DCA) user, enabling further privilege escalation. Utilizing these elevated privileges, the attacker moved laterally across the SD-WAN infrastructure. The attacker established command and control channels to maintain persistent access. Sensitive data was exfiltrated from the compromised systems. The attack resulted in significant operational disruption and potential data loss.
Kill Chain Progression
Initial Compromise
Description
An attacker with valid read-only API credentials exploited a file overwrite vulnerability in Cisco Catalyst SD-WAN Manager to gain vmanage user privileges.
Related CVEs
CVE-2026-20122
CVSS 5.4A vulnerability in the API of Cisco Catalyst SD-WAN Manager allows an authenticated, remote attacker with read-only credentials to overwrite arbitrary files on the local file system, potentially gaining vmanage user privileges.
Affected Products:
Cisco Catalyst SD-WAN Manager – < 20.9.8.2, 20.11, 20.12, 20.13, 20.14, 20.15, 20.16, 20.18
Exploit Status:
exploited in the wildCVE-2026-20128
CVSS 7.5A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager allows an authenticated, local attacker with vmanage credentials to gain DCA user privileges by accessing a credential file on the system.
Affected Products:
Cisco Catalyst SD-WAN Manager – 20.11, 20.12, 20.13, 20.14, 20.15, 20.16, 20.18
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Default Accounts
Domain Accounts
Local Accounts
Cloud Accounts
File and Directory Discovery
OS Credential Dumping
LSASS Memory
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement strong authentication mechanisms and manage identities effectively.
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Critical SD-WAN infrastructure vulnerabilities enable arbitrary file overwrite and privilege escalation, compromising network segmentation and encrypted traffic controls essential for telecom operations.
Financial Services
Active exploitation of Cisco SD-WAN Manager threatens zero trust segmentation and egress security, risking compliance violations and lateral movement across financial network infrastructure.
Health Care / Life Sciences
Network infrastructure attacks against SD-WAN systems compromise HIPAA-required encryption and access controls, enabling data exfiltration from healthcare multicloud environments and patient systems.
Government Administration
Sophisticated threat actor UAT-8616 targeting SD-WAN controllers poses national security risks through persistent footholds and compromised visibility controls in government network infrastructure.
Sources
- Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilitieshttps://thehackernews.com/2026/03/cisco-confirms-active-exploitation-of.htmlVerified
- Cisco Catalyst SD-WAN Vulnerabilitieshttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4vVerified
- NVD - CVE-2026-20122https://nvd.nist.gov/vuln/detail/CVE-2026-20122Verified
- NVD - CVE-2026-20128https://nvd.nist.gov/vuln/detail/CVE-2026-20128Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's lateral movement and data exfiltration by enforcing strict segmentation and identity-aware policies within the cloud infrastructure.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the file overwrite vulnerability may have been constrained by CNSF's embedded security controls, potentially limiting unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited by Zero Trust Segmentation, potentially reducing unauthorized access to sensitive credentials.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the SD-WAN infrastructure could have been constrained by East-West Traffic Security, potentially limiting unauthorized access between workloads.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels may have been detected and constrained by Multicloud Visibility & Control, potentially limiting persistent unauthorized access.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of sensitive data could have been limited by Egress Security & Policy Enforcement, potentially reducing unauthorized data transfers.
The operational disruption and data loss could have been mitigated by CNSF's comprehensive security controls, potentially reducing the overall impact of the attack.
Impact at a Glance
Affected Business Functions
- Network Management
- Data Collection
- System Administration
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of system configuration data and administrative credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic flows.
- • Utilize Multicloud Visibility & Control solutions to detect anomalous activities across cloud environments.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Apply Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads.
