CISCO has disclosed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) are under active exploitation in the wild, namely CVE-2026-20122 and CVE-2026-20128, with CVSS scores of 7.1 and 5.5 respectively. The flaws allow an authenticated attacker to overwrite arbitrary files on the local file system and to gain Data Collection Agent user privileges, respectively, and patches were released alongside other CVEs in late February for multiple fixed versions.
In March 2026, according to Cisco PSIRT, there was active exploitation of CVE-2026-20128 and CVE-2026-20122, though Cisco did not reveal the scale or which actors might be involved.
Cisco urges users to update to a fixed software release as soon as possible and to limit access from unsecured networks, secure appliances behind a firewall, disable HTTP for the Catalyst SD-WAN Manager web UI, turn off unneeded services such as HTTP and FTP, change the default administrator password, and monitor log traffic for unusual activity. This disclosure comes a week after Cisco warned that CVE-2026-20127 was exploited by a threat actor tracked as UAT-8616 to establish footholds in high-value organisations.