Full Report
Cisco has disclosed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) have come under active exploitation in the wild. The vulnerabilities in question are listed below - CVE-2026-20122 (CVSS score: 7.1) - An arbitrary file overwrite vulnerability that could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system.
Analysis Summary
# Vulnerability: Cisco Catalyst SD-WAN Manager Active Exploitation
## CVE Details
- **CVE ID:** CVE-2026-20122 (Arbitrary File Overwrite) and CVE-2026-20128 (Privilege Escalation)
- **CVSS Score:**
- CVE-2026-20122: 7.1 (High)
- CVE-2026-20128: 5.5 (Medium)
- **CWE:** Not specifically listed in source (typically CWE-73 for file overwrite and CWE-269 for privilege escalation)
## Affected Systems
- **Products:** Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage)
- **Versions:**
- Earlier than Version 20.91
- Version 20.9
- Version 20.11
- Version 20.12
- Version 20.13
- Version 20.14
- Version 20.15
- Version 20.16
- Version 20.18
- **Configurations:**
- For CVE-2026-20122: Attacker requires valid read-only credentials with API access.
- For CVE-2026-20128: Attacker requires valid vManage credentials.
## Vulnerability Description
**CVE-2026-20122:** An arbitrary file overwrite flaw. A remote authenticated attacker can exploit this to overwrite critical files on the local file system of the SD-WAN Manager.
**CVE-2026-20128:** An information disclosure flaw. A local authenticated attacker can exploit this to elevate their user permissions to Data Collection Agent (DCA) level privileges on the affected system.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by Cisco PSIRT as of March 2026)
- **Complexity:** Medium (Requires valid authentication)
- **Attack Vector:**
- CVE-2026-20122: Network (Remote)
- CVE-2026-20128: Local
## Impact
- **Confidentiality:** Medium to High (Privilege escalation and potential system access)
- **Integrity:** High (Ability to overwrite system and application files)
- **Availability:** High (File overwrites can lead to system instability or denial of service)
## Remediation
### Patches
Cisco recommends migrating to the following fixed versions:
* **Versions < 20.9.1:** Migrate to a fixed release
* **Version 20.9:** Fixed in 20.9.8.2
* **Version 20.11:** Fixed in 20.12.6.1
* **Version 20.12:** Fixed in 20.12.5.3 or 20.12.6.1
* **Version 20.13, 20.14, 20.15:** Fixed in 20.15.4.2
* **Version 20.16, 20.18:** Fixed in 20.18.2.1
### Workarounds
* Limit access to the Manager from unsecured networks.
* Place appliances behind a robust firewall.
* Disable HTTP for the web UI administrator portal.
* Disable unnecessary network services (e.g., HTTP and FTP).
* Enforce immediate changes to default administrator passwords.
## Detection
- **Indicators of Compromise:** Monitor for unexpected traffic to/from Catalyst SD-WAN Manager systems.
- **Detection Methods:** Audit system logs for unauthorized API calls or unexpected file system changes. Review user privilege assignment logs for unauthorized transitions to DCA user status.
## References
- Cisco Security Advisory: hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
- The Hacker News Article: hxxps[://]thehackernews[.]com/2026/03/cisco-confirms-active-exploitation-of.html