Cisco SD-WAN Security Flaws Exposed: New Vulnerabilities Exploited in Attacks
Cisco Warns of Actively Exploited SD-WAN Flaws, Urges Immediate Updates
Cisco has identified two security vulnerabilities in its Catalyst SD-WAN Manager software that are currently being exploited by attackers. The company is advising administrators to upgrade their systems to prevent potential breaches.
High-Severity Arbitrary File Overwrite Flaw and Medium-Severity Information Disclosure Vulnerability
The two vulnerabilities in question are a high-severity arbitrary file overwrite flaw (CVE-2026-20122) and a medium-severity information disclosure vulnerability (CVE-2026-20128). The former can be exploited by remote attackers with valid read-only credentials and API access, while the latter requires local attackers to have valid vManage credentials on the targeted systems.
These vulnerabilities affect all Catalyst SD-WAN Manager software, regardless of device configuration. Cisco has emphasized that the vulnerabilities are not related to device configuration and can be exploited regardless of the setup.
Related Vulnerability: Critical Authentication Bypass Vulnerability
The disclosure comes on the heels of a critical authentication bypass vulnerability (CVE-2026-20127) that was tagged as exploited in zero-day attacks. This vulnerability has been exploited by sophisticated threat actors since at least 2023, allowing them to compromise controllers and add rogue peers to targeted networks. These rogue peers enable attackers to insert malicious devices that appear legitimate, allowing them to move deeper into compromised networks.
The exploitation of CVE-2026-20127 has been disclosed in advisories released by Cisco and U.S. and UK authorities. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued Emergency Directive 26-03, requiring federal agencies to inventory Cisco SD-WAN systems, collect forensic artifacts, apply updates, and investigate potential breaches tied to CVE-2026-20127 attacks.
Additional Vulnerabilities in Secure Firewall Management Center Software
Cisco has also recently released security updates to patch two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software. These vulnerabilities, an authentication bypass flaw (CVE-2026-20079) and a remote code execution (RCE) vulnerability (CVE-2026-20131), can be exploited remotely by unauthenticated attackers to gain root access to the underlying operating system and execute arbitrary Java code as root on unpatched devices, respectively.
Administrators are advised to upgrade their systems to prevent potential breaches. The vulnerabilities can be exploited regardless of device configuration, and the consequences of a successful attack can be severe.
About Author
English