ACCORDING to Cisco PSIRT, Cisco Catalyst SD-WAN Manager (vManage) is currently being actively exploited for two vulnerabilities, CVE-2026-20122 and CVE-2026-20128. CVE-2026-20122 is an arbitrary file overwrite flaw in the vManage API that requires authentication and API access, while CVE-2026-20128 is a credential exposure issue tied to the Data Collection Agent feature that could enable lateral movement if DCA credentials are obtained.
Third‑party reporting has noted exploitation attempts from numerous unique IPs and claims of web shell deployment, with a notable activity spike on 4 March 2026. Cisco has published fixed releases for each affected train, and the practical advice is to upgrade to the first fixed release for your version train, as there are no workarounds.
Defenders should patch promptly, reduce exposure by isolating management interfaces to VPN or allowlists, and treat internet‑exposed instances as potentially compromised while monitoring for web and API activity.