Critical Vulnerabilities in Cisco Catalyst SD-WAN Manager Exploited

Severity: High (Score: 72.9)

Sources: nvd.nist.gov

Summary

Two critical vulnerabilities, CVE-2026-20122 and CVE-2026-20128, have been identified in Cisco Catalyst SD-WAN Manager, both published on 2026-02-25. CVE-2026-20122 allows authenticated remote attackers to overwrite arbitrary files via the API, while CVE-2026-20128 permits unauthenticated remote attackers to gain DCA user privileges through a credential file exploit. Both vulnerabilities were added to the CISA KEV list on 2026-04-20 due to active exploitation. Affected systems include versions prior to 20.18 of Cisco Catalyst SD-WAN Manager. Attackers can exploit these vulnerabilities to escalate privileges and potentially compromise additional systems. Organizations using vulnerable versions are urged to apply updates immediately to mitigate these risks. Key Points: • CVE-2026-20122 allows remote file overwriting with valid API credentials. • CVE-2026-20128 enables unauthenticated access to DCA user privileges. • Both vulnerabilities are actively exploited and should be patched immediately.

Key Entities

• Data Breach (attack_type)
• Zero-day Exploit (attack_type)
• CVE-2026-20122 (cve)
• CVE-2026-20128 (cve)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-269 - Improper Privilege Management (cwe)
• CWE-287 - Improper Authentication (cwe)
• T1003 - OS Credential Dumping (mitre_attack)
• T1078 - Valid Accounts (mitre_attack)
• Cisco Catalyst Sd-wan Manager (platform)