Cisco warns that two security flaws in its Catalyst SD-WAN Manager software are being actively exploited, urging customers to upgrade. The vulnerabilities, an arbitrary file overwrite and an information disclosure flaw, affect the network management software regardless of configuration. This follows a separate disclosure of a critical, long-exploited authentication bypass vulnerability in the same product line. U.S. authorities have issued directives for federal agencies to address these threats. Cisco has also recently patched two maximum-severity vulnerabilities in its Secure Firewall Management Center software.
Cisco has flagged two additional Catalyst SD-WAN Manager security flaws as actively exploited in the wild, urging administrators to upgrade vulnerable devices.
Catalyst SD-WAN Manager (formerly vManage) is network management software that enables admins to monitor and manage up to 6,000 Catalyst SD-WAN devices from a single centralized dashboard.
"In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only," the company warned in an update to a February 25 advisory.
"The vulnerabilities that are described in the other CVEs in this advisory are not known to have been compromised. Cisco strongly recommends that customers upgrade to a fixed software release to remediate these vulnerabilities."
The high-severity arbitrary file overwrite vulnerability (CVE-2026-20122) can only be exploited by remote attackers with valid read-only credentials with API access, while the medium-severity information disclosure flaw (CVE-2026-20128) requires local attackers to have valid vmanage credentials on the targeted systems.
Cisco added that these vulnerabilities affect Catalyst SD-WAN Manager software, regardless of device configuration.
SD-WAN zero-days exploited since 2023
Last week, the company also disclosed that a critical authentication bypass vulnerability (CVE-2026-20127) has been exploited in zero-day attacks since at least 2023, enabling highly sophisticated threat actors to compromise controllers and add malicious rogue peers to targeted networks.
The rogue peers allow the attackers to insert legitimate-looking malicious devices, enabling them to move deeper into compromised networks.
After joint advisories by U.S. and U.K. authorities warning of the exploitation activity, CISA issued Emergency Directive 26-03 requiring federal agencies to inventory Cisco SD-WAN systems, collect forensic artifacts, ensure external log storage, apply updates, and investigate potential compromises tied to attacks targeting CVE-2026-20127 and an older flaw tracked as CVE-2022-20775.
More recently, on Wednesday, Cisco released security updates to patch two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software.
These security flaws, an authentication bypass flaw (tracked as CVE-2026-20079) and a remote code execution (RCE) vulnerability (CVE-2026-20131), can be exploited remotely by unauthenticated attackers to gain root access to the underlying operating system and execute arbitrary Java code as root on unpatched devices, respectively.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Meridiano
