Cisco warns that two recently patched Catalyst SD-WAN vulnerabilities (CVE-2026-20128 and CVE-2026-20122) are being actively exploited in the wild. These incidents follow a separate exploited zero-day (CVE-2026-20127) linked to threat actor UAT-8616, highlighting targeted attacks against Catalyst SD-WAN devices. #CatalystSDWAN #UAT8616
Keypoints
- Cisco released patches for five Catalyst SD-WAN vulnerabilities on February 25.
- Two patched flaws, CVE-2026-20128 and CVE-2026-20122, are confirmed to be exploited in the wild.
- CVE-2026-20128 is an information disclosure issue in the Data Collection Agent that can grant DCA user privileges to a local authenticated attacker.
- CVE-2026-20122 is an API arbitrary file overwrite that allows a remote authenticated attacker to overwrite files and gain elevated privileges.
- An earlier zero-day, CVE-2026-20127, was exploited and linked to UAT-8616, reportedly chained with CVE-2022-20775 to bypass authentication and persist.
Read More: https://www.securityweek.com/cisco-warns-of-more-catalyst-sd-wan-flaws-exploited-in-the-wild/