What Happened
Cisco released security patches on February 25 for five Catalyst SD-WAN vulnerabilities. On March 5, the company updated its advisory to warn that two of them — CVE-2026-20128 and CVE-2026-20122 — are already being exploited in the wild.
The Two Exploited CVEs
CVE-2026-20122 (CVSS 7.1) — Arbitrary File Overwrite
An arbitrary file overwrite bug affecting the API of the Catalyst SD-WAN Manager. It allows a remote, authenticated attacker to overwrite arbitrary files on the system and gain elevated privileges. Exploitation requires valid read-only credentials with API access.
CVE-2026-20128 (CVSS 5.5) — Credential/Privilege Escalation
A bug in the Data Collection Agent (DCA) feature. An attacker could exploit this by accessing the filesystem as a low-privileged user and reading a credential file containing the DCA password, then use it to access another affected system and gain DCA user privileges.
Exploitation in the Wild
Third-party reporting has indicated observed exploitation attempts from numerous unique IP addresses and claims of web shell deployment, including a notable activity spike on March 4, 2026.
Cisco has not shared any details on the attacks exploiting these vulnerabilities, but its description indicates they have been chained with other flaws.
Broader SD-WAN Attack Campaign
This comes on top of an already alarming situation. According to Cisco Talos, exploitation of CVE-2026-20127 (CVSS 10.0) has been linked to a group tracked as UAT-8616, described as a “highly sophisticated cyber threat actor.” Available evidence suggests the bug may have been exploited since at least 2023.
Britain’s National Cyber Security Centre warned that malicious cyber threat actors are targeting Cisco Catalyst SD-WAN used by organizations globally.
Patching Guidance
There are no workarounds to block these attacks. Cisco strongly urges administrators to upgrade immediately. Fixed software releases include versions 20.9.8.2, 20.12.5.3, or 20.18.2.1, depending on the current setup. Catalyst SD-WAN Manager releases 20.18 and later are naturally immune to both the critical authentication bypass and the actively exploited DCA flaw.
Recommended Actions for Defenders
- Patch immediately to a fixed release
- Restrict SD-WAN Manager admin interfaces from untrusted networks
- Audit all API-access accounts, especially read-only roles
- Review logs for abnormal outbound traffic or web shell activity
- Check for lateral movement between SD-WAN Manager deployments
The situation remains actively evolving, with Cisco not yet sharing indicators of compromise (IOCs) or full attack chain details.
