Three new Cisco Catalyst SD-WAN Manager vulnerabilities are under active exploitation: CVE-2026-20128 (CVSS 7.5) allows unauthenticated attackers to gain DCA user privileges, CVE-2026-20133 (CVSS 6.5) permits unauthenticated information disclosure, and CVE-2026-20122 (CVSS 5.4) allows authenticated attackers with read-only credentials to overwrite files and gain vManage user privileges. Affected versions are broadly all releases before specific fixed versions, including those prior to 20.9.8.2, between 20.10 and 20.12.5.3, between 20.13 and 20.15.4.2, and between 20.16 and 20.18 (or 20.18.2.1 for some CVEs). Cisco has released patches in versions 20.9.8.2, 20.12.5.3, 20.15.4.2, and 20.18/20.18.2.1, and CISA has mandated patching for federal agencies within four days due to active attacks.
Patches More Cisco SD-WAN bugs battered in attacks CISA gives federal agencies 4 days to patch Jessica Lyons Tue 21 Apr 2026 // 17:30 UTC America's lead cyber-defense agency has warned that three Cisco Catalyst SD-WAN Manager bugs are under attack, and given federal agencies just four days to patch the security holes. The US Cybersecurity and Infrastructure Security Agency (CISA) added all three to its Known Exploited Vulnerabilities Catalog on Monday, joining at least two other Cisco SD-WAN CVEs on the list, and set a Thursday deadline for federal agencies to fix. Cisco's Catalyst SD-WAN Manager platform, formerly known as vManage, sits at the center of many organizations' SD-WAN deployments and can manage up to 6,000 edge devices in a cluster. The first flaw, CVE-2026-20128 , is an information disclosure vulnerability in the data collection agent (DCA) feature of Cisco Catalyst SD-WAN Manager that allows unauthenticated, remote attackers to gain DCA user privileges on an affected system. CVE-2026-20133 is another information disclosure bug that allows unauthenticated, remote attackers to view sensitive information on affected systems. And finally, CVE-2026-20122 is an arbitrary file overwrite flaw that could let an authenticated remote attacker with valid read-only API credentials upload a malicious file, overwrite arbitrary local files, and gain vManage user privileges. Cisco warns of two more SD-WAN bugs under active attack Five Eyes warn: Patch your Cisco SD-WAN or risk root takeover Microsoft releases Windows Server update fix to fix its April update fixes Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Cisco patched all three CVEs in late February, and in March warned of attackers abusing two of the three. "In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only." At press time, the networking vendor's advisory still doesn't list CVE-2026-20133 as being under active exploitation. Cisco didn't immediately respond to The Register 's questions, including the scope of attacks and what miscreants are doing with this illicit access. ® Share More about Cisco Cybercrime Cybersecurity and Infrastructure Security Agency More like these × More about Cisco Cybercrime Cybersecurity and Infrastructure Security Agency Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Webex Zero trust Broader topics Federal government of the United States More about Share POST A COMMENT More about Cisco Cybercrime Cybersecurity and Infrastructure Security Agency More like these × More about Cisco Cybercrime Cybersecurity and Infrastructure Security Agency Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Webex Zero trust Broader topics Federal government of the United States TIP US OFF Send us news