Cyber-crime 1 Cisco warns of two more SD-WAN bugs under active attack 1 Switchzilla says flaws could allow file overwrites or privilege escalation Carly Page Fri 6 Mar 2026 // 15:04 UTC Just when network admins thought the Cisco SD-WAN patch queue might finally be shrinking, Switchzilla has confirmed miscreants are exploiting more vulnerabilities in its SD-WAN management software. The newly abused flaws affect Cisco Catalyst SD-WAN Manager, the platform formerly known as vManage that sits at the center of many organizations' SD-WAN deployments. One of the bugs, CVE-2026-20122, carries a CVSS score of 7.1 and allows an authenticated remote attacker to overwrite arbitrary files on the local filesystem. The second issue, CVE-2026-20128, is a lower-rated information disclosure flaw with a CVSS score of 5.5 that could allow an authenticated local attacker to gain Data Collection Agent (DCA) user privileges on an affected system. In an advisory published this week , Cisco confirmed that attackers are already abusing the flaws: "In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only." As usual with these sorts of notices, Cisco offered little detail about how the flaws are being exploited or who is behind the attacks. The company also declined to say whether the activity is linked to a cyberbaddie it warned about just days earlier. "Cisco strongly recommends that customers upgrade to a fixed software release to remediate these vulnerabilities," the company added. The warning comes barely a week after governments from the Five Eyes intelligence alliance warned that attackers were actively targeting Cisco's Catalyst SD-WAN infrastructure using two different vulnerabilities. One is CVE-2022-20775, a path traversal flaw affecting the SD-WAN command-line interface that can lead to privilege escalation, and the other is CVE-2026-20127, a maximum-severity authentication issue affecting the Catalyst SD-WAN Controller and Manager platforms. CISA gives federal agencies three days to patch actively exploited Dell bug Cisco set to release home-brew hypervisor as a VMware alternative Google says spyware makers and China-linked groups dominated zero-day attacks last year Cisco hikes prices to cover memory cost rises, says you don't much care At the time, Britain's National Cyber Security Centre said miscreants were compromising SD-WAN deployments used by organizations worldwide. "Malicious cyber threat actors are targeting Cisco Catalyst SD-WAN used by organizations globally," the agency said. "These actors are compromising SD-WANs to add a malicious rogue peer and then conduct a range of follow-on actions to achieve root access and maintain persistent access to the SD-WAN." According to Cisco Talos, exploitation of the latter has been linked to a group the company tracks as UAT-8616, which it describes as a "highly sophisticated cyber threat actor." Talos said available evidence suggests the bug may have been exploited since at least 2023, although it didn't attribute the activity to any particular country. Whether the newly confirmed exploits are connected to that campaign remains unclear. Cisco said only that the two freshly disclosed vulnerabilities are currently being exploited, without providing indicators of compromise, attack details, or attribution. For defenders running Cisco's SD-WAN gear, however, the list of bugs under active attack just got longer, and the patch window just got a little more urgent. ® Share More about Cisco Network Vulnerability More like these × More about Cisco Network Vulnerability Narrower topics Black Hole Broadband Broadcom Cellular network Dynamic Host Configuration Protocol Email Ericsson Ethernet Firewall IETF InfiniBand IPv4 IPv6 Kenna Security Network interface card Network switch Radio Access Network Router SmartNIC Software-defined network Streaming video Submarine cable Systems Approach VPN Webex World Wide Web Y2K Zero Day Initiative Broader topics Security More about Share 1 COMMENTS More about Cisco Network Vulnerability More like these × More about Cisco Network Vulnerability Narrower topics Black Hole Broadband Broadcom Cellular network Dynamic Host Configuration Protocol Email Ericsson Ethernet Firewall IETF InfiniBand IPv4 IPv6 Kenna Security Network interface card Network switch Radio Access Network Router SmartNIC Software-defined network Streaming video Submarine cable Systems Approach VPN Webex World Wide Web Y2K Zero Day Initiative Broader topics Security TIP US OFF Send us news