Executive Summary
In March 2026, Cisco disclosed active exploitation of two vulnerabilities in its Catalyst SD-WAN Manager: CVE-2026-20122 and CVE-2026-20128. CVE-2026-20122 is a high-severity arbitrary file overwrite vulnerability that allows authenticated remote attackers with read-only API access to overwrite files on the local file system, potentially escalating privileges. CVE-2026-20128 is a medium-severity information disclosure flaw enabling authenticated local attackers with valid vManage credentials to access sensitive information, facilitating lateral movement within networks. These vulnerabilities affect all configurations of the Catalyst SD-WAN Manager software. (cisco.com)
The active exploitation of these vulnerabilities underscores the persistent targeting of network infrastructure by sophisticated threat actors. Organizations utilizing Cisco's SD-WAN solutions must prioritize immediate remediation to mitigate potential breaches and maintain network integrity. (thehackernews.com)
Why This Matters Now
The active exploitation of these vulnerabilities highlights the urgent need for organizations to update their Cisco Catalyst SD-WAN Manager software to prevent unauthorized access and potential data breaches. (cisco.com)
Attack Path Analysis
An attacker exploited vulnerabilities in Cisco Catalyst SD-WAN Manager to gain initial access, escalated privileges to the vmanage user, moved laterally within the network, established command and control channels, exfiltrated sensitive data, and potentially disrupted network operations.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited CVE-2026-20122, an arbitrary file overwrite vulnerability in the API of Cisco Catalyst SD-WAN Manager, using valid read-only credentials to upload a malicious file and gain vmanage user privileges.
Related CVEs
CVE-2026-20122
CVSS 5.4A vulnerability in the API of Cisco Catalyst SD-WAN Manager allows an authenticated, remote attacker with read-only credentials to overwrite arbitrary files on the local file system, potentially gaining vmanage user privileges.
Affected Products:
Cisco Catalyst SD-WAN Manager – < 20.9.8.2
Exploit Status:
exploited in the wildCVE-2026-20128
CVSS 7.5A vulnerability in the Data Collection Agent feature of Cisco Catalyst SD-WAN Manager allows an authenticated, local attacker with valid vmanage credentials to gain DCA user privileges by accessing a credential file.
Affected Products:
Cisco Catalyst SD-WAN Manager – < 20.18
Exploit Status:
exploited in the wildCVE-2026-20127
CVSS 10A vulnerability in the peering authentication of Cisco Catalyst SD-WAN Controller and Manager allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges.
Affected Products:
Cisco Catalyst SD-WAN Controller – < 20.9.8.2
Cisco Catalyst SD-WAN Manager – < 20.9.8.2
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Exploit Public-Facing Application
Exploitation for Privilege Escalation
Create Account: Local Account
Account Manipulation: SSH Authorized Keys
Boot or Logon Initialization Scripts
Indicator Removal: Clear Logs
Remote Services
Application Layer Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
SD-WAN infrastructure vulnerabilities enable network compromise, rogue device insertion, and lateral movement across critical communication networks managing thousands of devices.
Financial Services
Authentication bypass and file overwrite flaws threaten secure financial networks, enabling data exfiltration and compliance violations under PCI requirements.
Government Administration
Federal agencies face CISA Emergency Directive requirements due to sophisticated threat actors exploiting SD-WAN zero-days since 2023 for network infiltration.
Health Care / Life Sciences
Network infrastructure vulnerabilities compromise HIPAA-compliant systems, enabling unauthorized access to patient data through malicious peer insertion and privilege escalation.
Sources
- Cisco flags more SD-WAN flaws as actively exploited in attackshttps://www.bleepingcomputer.com/news/security/cisco-flags-more-sd-wan-flaws-as-actively-exploited-in-attacks/Verified
- Cisco Catalyst SD-WAN Vulnerabilitieshttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4vVerified
- Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerabilityhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZkVerified
- CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20127Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust Cloud Native Security Fabric (CNSF) is pertinent to this incident as it could have significantly limited the attacker's ability to escalate privileges, move laterally, and exfiltrate data within the cloud environment.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the vulnerability may have been constrained by CNSF's embedded security controls, potentially limiting unauthorized file uploads and privilege escalation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been limited by Zero Trust Segmentation, potentially restricting access to sensitive system components.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network may have been constrained by East-West Traffic Security, potentially limiting unauthorized access to other systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels may have been limited by Multicloud Visibility & Control, potentially restricting unauthorized external communications.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may have been constrained by Egress Security & Policy Enforcement, potentially limiting unauthorized data transfers.
The potential for network disruption may have been reduced by CNSF's comprehensive security controls, potentially limiting unauthorized configuration changes.
Impact at a Glance
Affected Business Functions
- Network Management
- Data Transmission
- Remote Access
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of network configurations and sensitive operational data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic flows, mitigating lateral movement risks.
- • Utilize Multicloud Visibility & Control solutions to detect anomalous interactions and repeated malformed requests indicative of exploitation attempts.
- • Apply Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration to unauthorized destinations.
- • Regularly update and patch systems to remediate known vulnerabilities, reducing the attack surface for potential exploits.
