Cisco has confirmed active exploitation of two vulnerabilities affecting Cisco Catalyst SD-WAN Manager (formerly vManage): CVE-2026-20122 and CVE-2026-20128. Both flaws require authenticated access but enable attackers to escalate privileges and overwrite files on vulnerable systems. These disclosures follow the earlier exploitation of CVE-2026-20127, a critical zero-day authentication bypass with a CVSS score of 10.0 that has been actively weaponized by a sophisticated threat actor tracked as UAT-8616 since at least 2023. Cisco PSIRT confirmed the in-the-wild exploitation in March 2026, though the company declined to disclose the scale of the attacks or attribute them to a specific actor in connection with the two newly confirmed CVEs.
The two exploited vulnerabilities are distinct in their attack surface and mechanism. CVE-2026-20122, with a CVSS score of 7.1, resides in the SD-WAN Manager API and allows an authenticated remote attacker to overwrite arbitrary files on the affected system, ultimately gaining vmanage user privileges by exploiting improper file handling logic. CVE-2026-20128, with a CVSS score of 5.5, targets the Data Collection Agent (DCA) feature and permits an authenticated local attacker to read a credential file accessible to low-privileged users, thereby escalating to DCA user privileges. Together, these vulnerabilities can be chained to build a foothold that enables persistent access within an organization's software-defined wide area network (SD-WAN) fabric. Three additional vulnerabilities, CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133, were patched in the same release cycle, though Cisco has not confirmed active exploitation of those three at this time.
The broader threat context makes this disclosure particularly serious. Cisco's Catalyst SD-WAN platform is deployed widely across enterprise and critical infrastructure environments to manage network traffic, optimize connectivity, and enable secure remote access. Compromise of SD-WAN Manager gives attackers centralized visibility into and control over the entire managed network fabric. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 26-03 in February 2026, directing Federal Civilian Executive Branch agencies to immediately identify and remediate vulnerabilities in Cisco Catalyst SD-WAN systems. The Dutch National Cyber Security Centre (NCSC) has separately assessed that public proof-of-concept exploits and large-scale exploitation attempts are likely as awareness of these vulnerabilities grows. Organizations that have not yet applied available patches should treat this situation as an urgent priority.
CVE-2026-20122, with a CVSS score of 7.1, is an arbitrary file overwrite vulnerability in the Cisco Catalyst SD-WAN Manager API. The flaw stems from improper file handling in the vManage API layer, allowing an authenticated remote attacker with read-only API credentials to overwrite files on the system's local filesystem and subsequently gain vmanage-level user privileges. Active exploitation of this vulnerability has been confirmed by Cisco PSIRT as of March 2026. Affected software versions include releases prior to 20.9.8.2, 20.15.4.2, and 20.18.2.1 depending on the version branch in use, and organizations running unpatched instances should treat any system with externally accessible API endpoints as potentially compromised.
CVE-2026-20128, with a CVSS score of 5.5, is an information disclosure vulnerability in the DCA feature of Cisco Catalyst SD-WAN Manager. An attacker who has already gained a low-privileged foothold on the affected system can access a filesystem-resident credential file containing the DCA service account password, enabling privilege escalation to DCA user level. Cisco has confirmed active exploitation of this vulnerability in March 2026. While the CVSS score reflects the authenticated, local nature of the attack, the real-world risk is elevated when CVE-2026-20128 is used as a second-stage capability following initial access gained through CVE-2026-20122 or the previously disclosed CVE-2026-20127.
CVE-2026-20127, with a CVSS score of 10.0, is a critical authentication bypass zero-day in Cisco Catalyst SD-WAN Controller and Manager that has been exploited by the threat actor UAT-8616 since at least 2023. Successful exploitation allows an unauthenticated remote attacker to log in as a high-privileged internal account and manipulate the SD-WAN fabric. CISA included this vulnerability in its Known Exploited Vulnerabilities catalog and issued Emergency Directive 26-03 specifically in response to this threat. UAT-8616 is assessed with high confidence by Cisco Talos as a highly sophisticated cyber threat actor, though formal nation-state attribution has not been publicly released.
Separately, Cisco released patches for two maximum-severity vulnerabilities in Cisco Secure Firewall Management Center: CVE-2026-20079 and CVE-2026-20131, both carrying CVSS scores of 10.0. CVE-2026-20079 allows an unauthenticated remote attacker to bypass authentication via crafted HTTP requests, while CVE-2026-20131 enables remote code execution as root via a crafted serialized Java object submitted to the web interface. Although active exploitation of these firewall vulnerabilities has not been confirmed at the time of this writing, the maximum severity and the attacker's access level make immediate patching essential for all organizations running affected Secure Firewall Management Center deployments.
Organizations running unpatched versions of Cisco Catalyst SD-WAN Manager face significant operational exposure. Successful exploitation of CVE-2026-20122 and CVE-2026-20128 provides authenticated attackers with escalated privileges within the SD-WAN management plane, potentially enabling them to alter routing policies, intercept or redirect traffic, deploy backdoors, and maintain persistent access across the organization's wide area network. Because Catalyst SD-WAN Manager serves as the centralized control point for distributed network infrastructure, a compromise of this system can have cascading effects on branch connectivity, remote access, and network segmentation. The UAT-8616 threat actor's demonstrated patience - operating undetected since 2023 - indicates that organizations may already have persistent implants within their environments that predate current patching efforts.
From a compliance and regulatory standpoint, confirmed exploitation of these vulnerabilities in environments subject to federal oversight is directly in scope for CISA Emergency Directive 26-03, which mandated remediation for Federal Civilian Executive Branch agencies by February 27, 2026. Organizations in regulated industries, including financial services, healthcare, and energy, may also face obligations under frameworks such as NIST SP 800-53, NERC CIP, and PCI DSS to document, remediate, and report confirmed or suspected compromises of network management systems. The parallel disclosure of critical Cisco Secure Firewall Management Center vulnerabilities further broadens the potential compliance and security audit surface for organizations relying on the broader Cisco security portfolio.
Organizations should take the following actions immediately to reduce exposure and assess potential compromise from these vulnerabilities:
1. Apply all available Cisco patches for Catalyst SD-WAN Manager, upgrading to version 20.9.8.2, 20.15.4.2, or 20.18.2.1 as appropriate for the installed release branch; systems running earlier versions not covered by a supported release should be migrated to a fixed version.
2. Restrict network access to the SD-WAN Manager web UI and API to trusted management networks only, and disable HTTP access to the administrator portal, enforcing HTTPS with strong mutual TLS where possible.
3. Disable HTTP and FTP services on SD-WAN Manager nodes if these services are not required, and audit all active services and open ports against a known-good baseline.
4. Conduct a forensic review of SD-WAN Manager hosts for indicators of compromise, including unauthorized SSH public keys added for root, modifications to SSH configuration enabling PermitRootLogin, anomalous or newly created user accounts, unusual root login activity in utmp/wtmp/btmp logs, and any evidence of log file truncation or deletion suggesting active tampering.
5. Apply available patches for Cisco Secure Firewall Management Center to address CVE-2026-20079 and CVE-2026-20131, and change all default administrator credentials on affected appliances as an immediate interim measure regardless of patching status.
Organizations that confirm indicators of compromise should initiate incident response procedures and preserve forensic artifacts prior to remediation to support root cause analysis. CISA's joint guidance, including the Cisco SD-WAN Threat Hunt Guide co-authored by CISA, NSA, NCSC-UK, NCSC-NZ, and the Australian Signals Directorate's ACSC, provides specific network-level and host-level investigation procedures for this threat.
1898 & Co. maintains continuous monitoring of Cisco security disclosures and actively tracks exploitation activity affecting network infrastructure platforms widely deployed in industrial and enterprise environments. Our security operations and threat intelligence teams reviewed this advisory upon Cisco's initial disclosure and assessed the potential impact across our client base, with particular attention to organizations operating SD-WAN deployments in operational technology-adjacent and critical infrastructure environments. Clients with managed security services through 1898 & Co. have been assessed for exposure based on their known technology inventories.
The 1898 & Co. incident response and industrial cybersecurity practitioners are experienced in investigating network management platform compromises, including lateral movement scenarios that originate from SD-WAN or network orchestration systems. Our team has the tooling and expertise to conduct forensic triage aligned with CISA's Cisco SD-WAN Threat Hunt Guide, including review of authentication logs, SSH key inventories, filesystem integrity, and network telemetry for signs of unauthorized access consistent with UAT-8616 TTPs. Clients who have reason to believe their SD-WAN environments may be compromised are encouraged to contact our team promptly to scope an investigation.
More broadly, 1898 & Co. advocates for a defense-in-depth approach to network management security, including strict segmentation of management plane traffic, multi-factor authentication enforcement on all network management systems, and regular configuration integrity audits. The active exploitation confirmed in this advisory, combined with CISA's issuance of a binding Emergency Directive, underscores that Cisco SD-WAN infrastructure represents a high-value target category for sophisticated threat actors and should be treated accordingly in organizational risk and patching programs.
1. ED 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems - CISA
2. CISA and Partners Release Guidance for Ongoing Global Exploitation of Cisco SD-WAN Systems - CISA
3. Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems - CISA