Protect.Computer
NEWS

Cisco warns additional SD-WAN Manager flaws are actively exploited

· 0 min read · Device safety
Cisco warns additional SD-WAN Manager flaws are actively exploited

Photo by BleepingComputer on BleepingComputer

What happened

Cisco says two additional Catalyst SD-WAN Manager vulnerabilities are now being actively exploited in attacks:

  • CVE-2026-20122 (high): arbitrary file overwrite
  • CVE-2026-20128 (medium): information disclosure

This follows earlier disclosure of exploitation tied to CVE-2026-20127, an authentication bypass issue affecting SD-WAN deployments.

Exploitation context

Catalyst SD-WAN Manager (formerly vManage) is a centralized control platform for large SD-WAN environments. Successful compromise can expose sensitive network-management functions and increase attacker reach inside enterprise networks.

According to updated reporting, exploitation activity has targeted real-world deployments, and government agencies have already issued urgent remediation direction related to SD-WAN risk.

Immediate actions for defenders

  1. Upgrade to fixed Cisco software releases without delay.
  2. Inventory internet-exposed SD-WAN management interfaces and limit access.
  3. Review authentication and API exposure, especially read-only accounts with API rights.
  4. Collect and retain forensic artifacts from SD-WAN controllers.
  5. Hunt for rogue peer/device indicators and unusual controller changes.

Bottom line

SD-WAN management infrastructure is now a repeatedly exploited target area. Treat this as an active intrusion risk and prioritize patching plus compromise assessment, not just routine vulnerability management.

Related reading

News
Google reports 90 zero-days exploited in 2025, with enterprise systems heavily targeted

Google tracked 90 in-the-wild zero-days in 2025, with nearly half hitting enterprise products like edge appliances and network infrastructure.

News
Cisco IMC auth bypass (CVE-2026-20093) can let attackers take admin control

Cisco says a critical IMC flaw can let unauthenticated attackers bypass auth, reset passwords, and log in as admin on vulnerable UCS servers.

News
OpenClaw patches unauthenticated Telegram webhook resource-exhaustion flaw (CVE-2026-32980)

OpenClaw fixed CVE-2026-32980 in version 2026.3.13, preventing unauthenticated Telegram webhook requests from forcing pre-auth body parsing and resource exhaustion.

News
Gigabyte Control Center flaw can allow remote file writes when pairing is enabled (CVE-2026-4415)

TWCERT/CC and NVD list CVE-2026-4415 in Gigabyte Control Center: unauthenticated remote file write when pairing is enabled, with potential code execution or privilege escalation.