AMID Cisco’s public disclosure on 25 February 2026 of half a dozen new SD-WAN Manager vulnerabilities, at least three have been exploited in the wild, including CVE-2026-20127, which carries a CVSS score of 10. VulnCheck researchers highlighted that public PoCs for this issue have been a mixed bag—some fake, some misleading, and all confusing for organisations trying to prioritise patching.
They also flagged CVE-2026-20133 as another serious but less-discussed vulnerability, whose information-disclosure flaws could enable private keys and secrets to be exposed, potentially allowing configuration changes or traffic manipulation. Not long after Cisco’s advisory, public PoCs appeared, with one notable PoC reportedly working but not against the vulnerability it claimed to exploit, instead chaining CVE-2026-20128, CVE-2026-20133 and CVE-2026-20122, according to VulnCheck.
The first verifiable PoC for CVE-2026-20127 arrived on 11 March 2026 courtesy of a Rapid7 researcher, and VulnCheck expects real exploitation attempts to ramp up in the wild. Nate Nelson, contributing writer for Dark Reading, notes that researchers still play a critical role in validating exploitability, even as organisations struggle to prioritise a growing backlog of bugs.