Cisco has disclosed five vulnerabilities in Catalyst SD-WAN Manager, two of which are being actively exploited. The most severe carries a CVSS score of 9.8 and allows unauthenticated remote attackers to bypass authentication entirely. No workarounds exist beyond patching. Cisco strongly urges all affected customers to upgrade to a fixed software release immediately.
Cisco published the security advisory on February 25, but updated it today. It details five vulnerabilities in Catalyst SD-WAN Manager. The flaws range in severity from medium to critical, collectively allowing attackers to bypass authentication, escalate privileges to root, access sensitive information, and overwrite arbitrary files. All versions are affected regardless of device configuration.
This month, Cisco PSIRT confirmed active exploitation of two of the five flaws. These are CVE-2026-20128 and CVE-2026-20122. The other three CVEs in this advisory have not been observed in active campaigns. All five were discovered during internal security testing by Arthur Vidineyev of Cisco’s Advanced Security Initiatives Group.
Five vulnerabilities, one critical
The most severe flaw is CVE-2026-20129, an authentication bypass with a CVSS score of 9.8. An unauthenticated remote attacker can send a crafted API request to gain access with netadmin role privileges, no valid credentials required. Versions 20.18 and later are not affected by this particular CVE.
CVE-2026-20126 (CVSS 7.8) allows a local attacker with low privileges to escalate to root via the REST API. CVE-2026-20133 (CVSS 7.5) lets an unauthenticated remote attacker read sensitive files through insufficient filesystem access restrictions. CVE-2026-20122 (CVSS 7.1) enables an authenticated attacker with read-only API access to overwrite arbitrary files and gain vmanage user privileges. CVE-2026-20128 (CVSS 5.5) exposes a stored DCA credential file that a low-privileged local user can read to access another system.
Active exploitation and patching
Cisco’s SD-WAN platform is clearly an active target. As noted late last month, threat actor group UAT-8616 has exploited Cisco Catalyst SD-WAN authentication weaknesses since at least 2023, compromising controllers and adding rogue peers to networks. The Cisco Talos team documented this campaign in detail.
To reiterate: no workarounds exist for any of the five vulnerabilities. Fixed releases include 20.9.8.2, 20.12.5.3, 20.15.4.2, and 20.18.2.1. Organizations on versions older than 20.9 must migrate entirely. Cisco also advises placing control components behind a firewall, restricting access from unsecured networks, and monitoring logs for suspicious activity.