Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities  Ravie Lakshmanan  Mar 05, 2026 Vulnerability / Enterprise Security Cisco has disclosed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) have come under active exploitation in the wild. The vulnerabilities in question are listed below - CVE-2026-20122 (CVSS score: 7.1) - An arbitrary file overwrite vulnerability that could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. Successful exploitation requires the attacker to have valid read-only credentials with API access on the affected system. CVE-2026-20128 (CVSS score: 5.5) - An information disclosure vulnerability that could allow an authenticated, local attacker to gain Data Collection Agent (DCA) user privileges on an affected system. Successful exploitation requires the attacker to have valid vManage credentials on the affected system. Patches for the security defects, along with CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133, were released by Cisco late last month in the following versions - Earlier than Version 20.91 - Migrate to a fixed release. Version 20.9 - Fixed in 20.9.8.2 Version 20.11 - Fixed in 20.12.6.1 Version 20.12 - Fixed in 20.12.5.3 and 20.12.6.1 Version 20.13 - Fixed in 20.15.4.2 Version 20.14 - Fixed in 20.15.4.2 Version 20.15 - Fixed in 20.15.4.2 Version 20.16 - Fixed in 20.18.2.1 Version 20.18 - Fixed in 20.18.2.1 "In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only," the networking equipment major said. The company did not elaborate on the scale of the activity and who may be behind it. In light of active exploitation, users are recommended to update to a fixed software release as soon as possible, and take steps to limit access from unsecured networks, secure the appliances behind a firewall, disable HTTP for the Catalyst SD-WAN Manager web UI administrator portal, turn off network services like HTTP and FTP if not required, change the default administrator password, and monitor log traffic for any unexpected traffic to and from systems. The disclosure comes a week after the company said a critical security flaw in Cisco Catalyst SD-WAN Controller and Catalyst SD-WAN Manager ( CVE-2026-20127 , CVSS score: 10.0) has been exploited by a highly sophisticated cyber threat actor tracked as UAT-8616 to establish persistent footholds into high-value organizations. This week, Cisco also released updates to address two maximum-severity security vulnerabilities in Secure Firewall Management Center ( CVE-2026-20079 and CVE-2026-20131 , CVSS scores: 10.0) that could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  cisco , cybersecurity , enterprise security , exploitation , network security , privilege escalation , SD-WAN , Vulnerability Trending News Researchers Show Copilot and Grok Can Be Abused as Malware C2 Proxies ⚡ Weekly Recap: Double-Tap Skimmers, PromptSpy AI, 30Tbps DDoS, Docker Malware and More ThreatsDay Bulletin: Kali Linux + Claude, Chrome Crash Traps, WinRAR Flaws, LockBit and 15+ Stories Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration Anthropic Says Chinese AI Firms Used 16 Million Claude Queries to Copy Model Anthropic Launches Claude Code Security for AI-Powered Vulnerability Scanning AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries ClickFix Campaign Abuses Compromised Sites to Deploy MIMICRAT Malware Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems PromptSpy Android Malware Abuses Gemini AI to Automate Recent-Apps Persistence Notepad++ Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware Dell RecoverPoint for VMs Zero-Day CVE-2026-22769 Exploited Since Mid-2024 Citizen Lab Finds Cellebrite Tool Used on Kenyan Activist’s Phone in Police Custody Identity Prioritization isn't a Backlog Problem - It's a Risk Math Problem How Exposed Endpoints Increase Risk Across LLM Infrastructure Popular Resources 100+ Domains Multiply Attack Risk 6× - Download the CTEM Divide Research Boost SOC Efficiency with AI-Guided Triage — Download Investigator Overview Silent Residency Is the New Threat Model — Download the Red Report Exposed Cloud Training Apps Are Letting Hackers In — Download the Research