Cisco warns that two additional Catalyst SD-WAN Manager vulnerabilities (CVE-2026-20122 and CVE-2026-20128) are being actively exploited in the wild and urges administrators to upgrade vulnerable devices. The flaws—one a high-severity arbitrary file overwrite accessible with read-only API credentials and the other a medium-severity information disclosure needing local vManage credentials—affect Catalyst SD-WAN Manager regardless of configuration and follow earlier zero-day compromises like CVE-2026-20127. #CatalystSDWANManager #CVE202620122
Keypoints
- Cisco confirmed active exploitation of CVE-2026-20122 and CVE-2026-20128 in Catalyst SD-WAN Manager.
- Cisco strongly recommends upgrading to fixed software releases to remediate the vulnerabilities.
- CVE-2026-20122 is a high-severity arbitrary file overwrite exploitable by remote attackers with valid read-only API credentials.
- CVE-2026-20128 is a medium-severity information disclosure that requires local vManage credentials and impacts systems regardless of configuration.
- Related SD-WAN zero-days (notably CVE-2026-20127) have been exploited since 2023, prompting CISA Emergency Directive 26-03; Cisco also patched critical FMC flaws CVE-2026-20079 and CVE-2026-20131.