Vulnerabilities Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild The networking giant has added the recently patched CVE-2026-20128 and CVE-2026-20122 to the list of exploited vulnerabilities. By Eduard Kovacs | March 5, 2026 (7:15 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Cisco is warning customers that two recently patched Catalyst SD-WAN vulnerabilities are being exploited in the wild. The networking giant informed customers on February 25 about the availability of patches for five Catalyst SD-WAN flaws , including critical and high-severity issues that can be exploited to access vulnerable systems and elevate privileges to root. Cisco updated its advisory on March 5 to warn that it has become aware of active exploitation for two of the five vulnerabilities: CVE-2026-20128 and CVE-2026-20122. CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature of Catalyst SD-WAN Manager, allowing an authenticated, local attacker to gain DCA user privileges on the targeted system. CVE-2026-20122 is an arbitrary file overwrite bug affecting the API of the Catalyst SD-WAN Manager. It allows a remote, authenticated attacker to overwrite arbitrary files on the system and gain elevated privileges. Cisco has not shared any details on the attacks exploiting these vulnerabilities, but its description indicates they have been chained with other flaws. Advertisement. Scroll to continue reading. The company’s announcement comes roughly a week after it warned customers that a critical zero-day vulnerability affecting Catalyst SD-WAN has been exploited in the wild. Tracked as CVE-2026-20127, that security hole can be exploited remotely to bypass authentication and obtain admin privileges on a vulnerable device. CISA and other cybersecurity agencies reported that CVE-2026-20127 has been chained with an older Catalyst vulnerability, CVE-2022-20775, to bypass authentication, escalate privileges, and establish persistence on the targeted system. Cisco Talos linked those attacks to UAT-8616, a highly sophisticated threat actor that has been active since at least 2023. It’s unclear if all of these Catalyst SD-WAN vulnerabilities have been exploited in the same or different campaigns. Cisco also warned recently about zero-day attacks conducted by a China-linked APT tracked as UAT-9686. Related : Cisco Patches Critical Vulnerabilities in Enterprise Networking Products Related: Cisco, F5 Patch High-Severity Vulnerabilities Related: Hackers Targeting Cisco Unified CM Zero-Day Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs LastPass Warns of New Phishing Campaign VMware Aria Operations Vulnerability Exploited in the Wild Honeywell, Researcher Clash Over Impact of Building Controller Vulnerability Iran Cyber Front: Hacktivist Activity Rises, but State-Sponsored Attacks Stay Low Madison Square Garden Data Breach Confirmed Months After Hacker Attack Nick Andersen Appointed Acting Director of CISA US-Israel and Iran Trade Cyberattacks: Pro-West Hacks Cause Disruption as Tehran Retaliates Chilean Carding Shop Operator Extradited to US Latest News Reclaim Security Raises $20 Million to Accelerate Remediation LeakBase Cybercrime Forum Shut Down, Suspects Arrested Cisco Patches Critical Vulnerabilities in Enterprise Networking Products Nation-State iOS Exploit Kit ‘Coruna’ Found Powering Global Attacks Tycoon 2FA Phishing Platform Dismantled in Global Takedown New LexisNexis Data Breach Confirmed After Hackers Leak Files Zurich Acquires Beazley in $11 Billion Deal to Lead Cyberinsurance Hacker Conversations: Inti De Ceukelaire, Raging Against the Machine Creatively Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Software and firmware supply chain security company Binarly has appointed Gwenyth Castro as its new CEO. JumpCloud has appointed Roland Palmer as its new Chief Information Security Officer. Nick Andersen has been appointed Acting Director of CISA after the departure of Madhu Gottumukkala. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email