CISCO warns that two recently patched Catalyst SD-WAN vulnerabilities are being exploited in the wild, with patches already available for five Catalyst SD-WAN flaws. According to Cisco, CVE-2026-20128 is an information-disclosure issue in the Data Collection Agent feature that could let an authenticated local attacker gain DCA user privileges, while CVE-2026-20122 is an arbitrary file overwrite bug in the API that allows a remote, authenticated attacker to overwrite files and gain elevated privileges.
The company updated its advisory on 5 March 2026 to note active exploitation of these two flaws, and it has previously flagged a separate critical zero-day, CVE-2026-20127, exploited in the wild to bypass authentication and obtain admin privileges, with CISA and others noting it has been chained with CVE-2022-20775.
Security researchers have linked some of these campaigns to UAT-8616, a threat actor active since at least 2023, while cautions remain that zero-day attacks by a China-linked APT tracked as UAT-9686 have also been reported. It remains unclear whether all Catalyst SD-WAN vulnerabilities are being exploited in the same campaign.