CISCO warns that two recently patched Catalyst SD-WAN flaws, CVE-2026-20128 and CVE-2026-20122, are already being actively exploited in the wild. According to CISCO, multiple vulnerabilities in Cisco Catalyst SD-WAN Manager could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files.
Cisco released security patches on 25 February for five Catalyst SD-WAN vulnerabilities, including fixes for critical and high-severity flaws, and on 5 March updated its advisory to note that the two CVEs are already being exploited. The flaw CVE-2026-20128 affects the Data Collection Agent feature, letting a local authenticated attacker gain DCA privileges, while CVE-2026-20122 allows a remote authenticated attacker to overwrite arbitrary files via the SD-WAN Manager API and escalate privileges.
Cisco Talos tracks the exploitation under the name UAT-8616, with investigators noting activity dating back to at least 2023 and describing the actor as highly sophisticated. The firm is urging customers to upgrade to patched software releases such as 20.9.8[.]2, 20.12.5[.]3, 20.12.6[.]1, 20.15.4[.]2, and 20.18.2[.]1.