Under Attack: Cisco Urges Immediate Action as Hackers Actively Exploit SD-WAN Manager Flaws

Cisco has issued an urgent update to its security advisory, warning that two vulnerabilities in the Cisco Catalyst SD-WAN Manager are now being actively exploited by hackers in the wild. The vulnerabilities, originally patched in late February, have transitioned from theoretical risks to active threats, prompting Cisco to “strongly recommend” immediate software upgrades.

The Catalyst SD-WAN Manager (formerly vManage) is the central orchestration hub for Cisco’s software-defined networking solutions, making it a high-value target for attackers looking to compromise corporate wide-area networks.

While the original advisory covered multiple bugs, Cisco’s PSIRT confirmed that active exploitation is currently limited to the following two flaws:

1. CVE-2026-20122: Arbitrary File Overwrite (CVSS 7.1)
   This vulnerability exists in the API of the SD-WAN Manager due to “improper file handling.” An authenticated attacker with read-only API credentials can upload a malicious file to the local file system. This allow the attacker to overwrite arbitrary files on the system, which can be leveraged to gain vmanage user privileges, effectively escalating their control over the orchestration platform.
2. CVE-2026-20128: Information Disclosure (CVSS 5.5)
   This flaw resides in the Data Collection Agent (DCA) feature. A local attacker with valid vmanage credentials can access a plaintext credential file stored on the system. By reading this file, an attacker gains the password for the DCA user. As the advisory notes, “A successful exploit could allow the attacker to access another affected system and gain DCA user privileges”, facilitating lateral movement across the SD-WAN fabric.

Cisco has provided a clear path for remediation, noting that SD-WAN Manager releases 20.18 and later are naturally immune to the Information Disclosure flaw (CVE-2026-20128). However, for earlier versions, the “First Fixed” releases are as follows:

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.