Critical Cisco SD-WAN Flaws Under Active Exploitation

by CyberNewsAI Admin
Threat IntelligenceVulnerability Watch

Executive Summary

Multiple high-impact vulnerabilities have been disclosed in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. These vulnerabilities expose affected systems to a range of attacks, including unauthenticated remote access, privilege escalation to root, and sensitive information disclosure. The most severe vulnerability, CVE-2026-20129, carries a CVSS 9.8 (Critical) rating.

The Cisco Product Security Incident Response Team (PSIRT) has confirmed active exploitation of two vulnerabilities, CVE-2026-20122 and CVE-2026-20128, in the wild as of March 2026. Given the severity and active threat, immediate remediation is imperative. There are no workarounds; upgrading to a patched software version is the only effective mitigation.

Key Findings

CVE-2026-20129: Critical Authentication Bypass (CVSS 9.8)

A critical vulnerability exists in the API user authentication mechanism. An unauthenticated, remote attacker can exploit this by sending a crafted request to the API. A successful exploit grants the adversary access with the privileges of the netadmin role, allowing for significant control over the affected system. Releases 20.18 and later are not affected by this specific CVE.

CVE-2026-20126: High-Severity Privilege Escalation (CVSS 7.8)

An authenticated, local attacker with low privileges can escalate to root on the underlying operating system. This is due to an insufficient user authentication mechanism in the REST API. A successful exploit grants the attacker complete control over the device.

CVE-2026-20133: High-Severity Information Disclosure (CVSS 7.5)

An unauthenticated, remote attacker can access the API to view sensitive information on the underlying operating system. The vulnerability is caused by insufficient file system access restrictions, allowing an adversary to exfiltrate potentially critical data without prior access.

CVE-2026-20122: Arbitrary File Overwrite (CVSS 7.1) - ACTIVELY EXPLOITED

An authenticated attacker with valid read-only credentials can overwrite arbitrary files by uploading a malicious file via the API. This can be leveraged to gain vmanage user privileges. This vulnerability is confirmed to be under active exploitation.

CVE-2026-20128: Information Disclosure (CVSS 5.5) - ACTIVELY EXPLOITED

An authenticated, local attacker can access a credential file for the Data Collection Agent (DCA) user. This allows the attacker to gain DCA user privileges on other affected systems. This vulnerability is also confirmed to be under active exploitation.

Impact Analysis

Threat Vector

The primary attack vector is the API interface of the Cisco Catalyst SD-WAN Manager. Adversaries can be unauthenticated and remote for the most critical vulnerabilities, significantly widening the potential attack surface. Other vectors require local access, indicating a threat from post-compromise lateral movement or insider threats.

Systemic Risk

Successful exploitation can lead to a complete compromise of the SD-WAN management plane. An attacker could achieve full system control with root privileges, bypass all authentication controls, exfiltrate sensitive configuration data, and overwrite system files. This would result in a total loss of confidentiality, integrity, and availability for the SD-WAN fabric.

Mitigation

Immediate Patching Required

Cisco has stated there are no workarounds that address these vulnerabilities. Administrators must upgrade to a fixed software release immediately. Cisco has provided fixed versions for all affected release trains.

Example Fixed Releases:

  • Customers on release 20.9 must upgrade to 20.9.8.2.
  • Customers on release 20.12 must upgrade to 20.12.5.3 or 20.12.6.1.
  • Customers on release 20.15 must upgrade to 20.15.4.2.
  • Customers on release 20.18 must upgrade to 20.18.2.1.

Refer to the official Cisco advisory cisco-sa-sdwan-authbp-qwCX8D4v for the complete list of affected and fixed software releases.

Hardening Recommendations

While patching is the only solution, organizations should also implement the following hardening best practices as recommended by Cisco:

  • Restrict network access to the SD-WAN Manager from untrusted networks like the internet.
  • Utilize a firewall to filter traffic, allowing only known, trusted hosts.
  • Disable non-essential network services such as HTTP and FTP.
  • Monitor system logs for anomalous traffic patterns or unexpected API requests.
  • Follow the official Cisco Catalyst SD-WAN Hardening Guide for comprehensive security configurations.

// INTELLIGENCE_SOURCES

[Cisco Security]

// INITIALIZE_SUBSCRIPTION

Receive critical threat intelligence briefings directly to your feed. Join the CyberNewsAI operations center.

SUBSCRIBE_NOW