Cisco Catalyst SD-WAN Manager (CVE-2026-20122 & CVE-2026-20128) Flaws Exploited

Cisco has confirmed active exploitation targeting two vulnerabilities in Cisco Catalyst SD-WAN Manager (formerly vManage), tracked as CVE-2026-20122 and CVE-2026-20128.

Cisco PSIRT updated its advisory on March 5, 2026, explicitly noting exploitation in the wild, which immediately changes how defenders should prioritize remediation. Public reporting also suggests limited public detail on the exact attack chain, even though third-party observations point to high-volume exploitation attempts and web shell activity.

This post explains what these CVEs are, which versions are affected, what exploitation likely looks like in real environments, and what defenders should do right now to reduce risk.

What Are CVE-2026-20122 & CVE-2026-20128?

CVE-2026-20122 (CVSS 5.4) is an arbitrary file overwrite vulnerability in the Cisco Catalyst SD-WAN Manager (vManage) API, caused by improper file handling. The important constraint is that it is not a “spray the internet” unauthenticated bug by itself, since it requires authentication and API access.

Details of CVE-2026-20122 (SOCRadar Vulnerability Intelligence)

CVE-2026-20128 (CVSS 7.5) is a credential exposure issue tied to the Data Collection Agent (DCA) feature. A credential file can exist on disk in a way that allows a sufficiently positioned attacker to disclose DCA credentials and then use them to authenticate elsewhere, potentially enabling lateral movement between SD-WAN Manager deployments.

Details of CVE-2026-20128 (SOCRadar Vulnerability Intelligence)

While Cisco has not publicly shared detailed end-to-end attack chain specifics (for example, full TTPs or a robust IOC pack), third-party reporting has indicated observed exploitation attempts from numerous unique IP addresses and claims of web shell deployment, including a notable activity spike on March 4, 2026.

SOCRadar CTI module, Vulnerability Intelligence

Newly exploited vulnerabilities can quickly turn into real operational risks, especially when organizations are unsure whether vulnerable systems exist within their environment.

SOCRadar’s Cyber Threat Intelligence (CTI)andAttack Surface Management (ASM) modules help security teams monitor emerging exploitation activity while identifying exposed assets across their external attack surface. By correlating threat intelligence with real asset visibility, defenders can quickly determine whether vulnerable devices or services are reachable from the internet.

Which Cisco Catalyst SD-WAN Manager Versions Are Affected?

Both vulnerabilities affect Cisco Catalyst SD-WAN Manager. The practical takeaway is that you need to map your deployment to its version “train” and then upgrade to the first fixed release for that train.

Cisco’s published “first fixed releases” guidance (as summarized in public reporting) is:

• Earlier than 20.9: migrate to a fixed release (no in-train fix listed)
• 20.9: upgrade to 20.9.8.2
• 20.11: upgrade to 20.12.6.1
• 20.12: upgrade to 20.12.5.3 (or 20.12.6.1)
• 20.13 / 20.14 / 20.15: upgrade to 20.15.4.2
• 20.16 / 20.18: upgrade to 20.18.2.1

One notable scoping detail: 20.18 and later are stated as not affected for CVE-2026-20128 in Cisco’s advisory text, which matters if you are prioritizing remediation within mixed-version environments.

How Does Exploitation Work In Practice For These CVEs?

For CVE-2026-20122, the key prerequisite is authenticated remote access with valid read-only credentials that include API access. In isolation, that sounds limiting, but operationally it maps to common intrusion paths: password reuse, credential stuffing, phishing, harvested credentials from another foothold, or weak access controls around management accounts.

Once an attacker has that access, an arbitrary file overwrite primitive can become a stepping stone to privilege gain within the appliance context, including the potential to obtain vmanage user privileges. Defenders should also assume attackers will try to convert file overwrite capability into persistence, especially if they can place or modify files used by services.

For CVE-2026-20128, the prerequisite is different: an attacker needs valid vManage credentials plus local filesystem access as a low-privileged user. That typically implies the attacker already has some level of foothold. If they can read the DCA password file, they can reuse those credentials to access another affected system, potentially enabling cross-instance movement in environments where SD-WAN management planes are deployed in multiple places.

What Should Defenders Do Right Now?

Start with actions that reduce time-to-safety and limit attack surface.

Patch First, Since There Are No Workarounds 

Cisco’s guidance indicates no workarounds for these issues. That makes patching the primary control, not a “nice to have.” Upgrade to the fixed release for your train as soon as operationally possible.

Reduce Exposure While Patching Is In Progress 

If you cannot patch immediately, prioritize exposure reduction steps that make exploitation harder:

• Put SD-WAN Manager management interfaces behind VPN or strict firewall allowlists
• Ensure the management/API plane is not reachable from untrusted networks
• Disable HTTP for the admin portal and enforce HTTPS-only
• Disable unnecessary services such as HTTP/FTP if they are not required in your environment
• Rotate and harden admin credentials, with a focus on preventing abuse of “low privilege” accounts that still have API reach

Treat Internet-Exposed Instances As Potentially Compromised 

Given the reports of exploitation and web shell behavior, any internet-exposed or broadly reachable SD-WAN Manager should be treated as suspect until proven clean. Plan for log review, outbound traffic analysis, and integrity checks around web and API-facing components.