Escalating Cyber Threats Target Critical SD-WAN Infrastructure: Cisco Identifies Additional Exploited Vulnerabilities

Cisco has issued an urgent warning regarding two additional security vulnerabilities within its Catalyst SD-WAN Manager software, confirming active exploitation in ongoing cyberattacks. This latest disclosure underscores a persistent and evolving threat landscape facing vital network management systems, compelling organizations to prioritize immediate remediation and bolster their defensive postures against sophisticated adversaries.

Software-Defined Wide Area Networking (SD-WAN) represents a foundational shift in enterprise network architecture, offering unparalleled agility, centralized control, and optimized performance across geographically dispersed locations. By abstracting network control from underlying hardware, SD-WAN solutions like Cisco’s Catalyst SD-WAN Manager empower administrators to centrally configure, monitor, and manage thousands of network devices from a single, unified dashboard. This centralized orchestration, while providing immense operational efficiency, simultaneously consolidates risk, making the management plane a highly attractive target for threat actors seeking to gain comprehensive control over an organization’s entire network fabric. The implications of compromising such a system are profound, potentially enabling attackers to manipulate traffic flows, exfiltrate sensitive data, disrupt operations, or establish persistent footholds for further malicious activities.

The newly identified vulnerabilities, tracked as CVE-2026-20128 and CVE-2026-20122, were confirmed by the Cisco Product Security Incident Response Team (PSIRT) to be actively exploited in the wild as of March 2026. This revelation builds upon previous warnings, indicating a concerted and ongoing campaign against Cisco’s SD-WAN ecosystem. While other vulnerabilities detailed in the same advisory are not currently known to be compromised, the active exploitation of these specific flaws necessitates immediate attention and software upgrades for all affected deployments.

CVE-2026-20122 is classified as a high-severity arbitrary file overwrite vulnerability. This type of flaw is particularly dangerous because it permits an attacker to replace or modify critical system files on the target device. In the context of Catalyst SD-WAN Manager, a successful exploit could lead to various detrimental outcomes, including the installation of malicious software, modification of system configurations to facilitate backdoors, or even complete system compromise. The vulnerability is exploitable by remote attackers who possess valid read-only credentials but crucially, also have API access. This requirement suggests that while an attacker might not have full administrative privileges, the ability to interact with the system’s API provides a vector to leverage this flaw. The danger here lies in the potential for lateral movement or privilege escalation; an attacker who has already gained a minimal foothold, perhaps through a phishing attack or by exploiting another, less severe vulnerability to obtain read-only credentials, could then use CVE-2026-20122 to elevate their access and achieve deeper compromise.

Complementing this, CVE-2026-20128 is a medium-severity information disclosure vulnerability. This flaw requires local attackers to possess valid vManage credentials on the targeted systems. Information disclosure vulnerabilities, while sometimes perceived as less critical than direct code execution or authentication bypass flaws, can be invaluable to attackers in reconnaissance phases or as stepping stones in multi-stage attacks. Successful exploitation could expose sensitive operational data, network topology maps, device configurations, or even other credential fragments that could be used to facilitate further attacks. The requirement for local access and valid vManage credentials suggests that the attacker would need some prior level of access to the system, possibly through social engineering, physical access, or the exploitation of another vulnerability that grants initial access. Once inside, this flaw could provide the critical intelligence needed to map out the network, identify high-value targets, or understand how to leverage other vulnerabilities like the arbitrary file overwrite. The fact that these vulnerabilities affect Catalyst SD-WAN Manager software universally, irrespective of specific device configurations, underscores the broad attack surface and the necessity for a comprehensive patching strategy across all deployments.

These newly confirmed exploits occur against a backdrop of ongoing, sophisticated attacks targeting Cisco’s SD-WAN infrastructure. Notably, Cisco previously disclosed a critical authentication bypass vulnerability, CVE-2026-20127, which has been actively exploited as a zero-day since at least 2023. This prolonged period of exploitation without a patch highlights the stealth and persistence of the threat actors involved. An authentication bypass vulnerability of this criticality allows attackers to circumvent normal authentication mechanisms, granting them unauthorized access to controllers without valid credentials. This effectively opens the front door to the entire SD-WAN management system.

The primary objective of these highly sophisticated threat actors, in the case of CVE-2026-20127, has been to compromise SD-WAN controllers and subsequently introduce malicious "rogue peers" into targeted networks. Rogue peers are essentially unauthorized or malicious network devices that masquerade as legitimate components within the SD-WAN fabric. By inserting these rogue elements, attackers can gain an insidious foothold, allowing them to:

1. Intercept and Redirect Traffic: Reroute legitimate network traffic through their malicious devices, enabling eavesdropping, data manipulation, or denial-of-service attacks.
2. Establish Command and Control (C2): Create covert communication channels for remote control of compromised systems and exfiltration of stolen data.
3. Facilitate Lateral Movement: Use the rogue peer as a pivot point to explore and compromise other devices and segments within the victim’s network.
4. Maintain Persistence: Ensure continued access to the network even if initial compromise vectors are discovered and patched.
5. Inject Malicious Payloads: Distribute malware or other harmful code to connected systems, expanding the scope of their attack.
   The ability to introduce such rogue elements allows attackers to move deeper into compromised networks, maintaining a persistent and often undetectable presence, thereby posing a significant and enduring risk to organizational security and data integrity.

The gravity of these ongoing threats has prompted robust responses from governmental cybersecurity agencies. Following joint advisories from U.S. and U.K. authorities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 26-03. Emergency Directives are typically reserved for situations posing severe, immediate risks to federal information systems and critical infrastructure, signaling the high level of concern regarding these SD-WAN vulnerabilities. ED 26-03 mandates several critical actions for all federal civilian executive branch agencies, which serve as a strong recommendation for all organizations leveraging Cisco SD-WAN solutions:

• Inventory Cisco SD-WAN Systems: Agencies must identify all instances of Cisco SD-WAN deployments within their environments. This fundamental step ensures comprehensive visibility of the attack surface.
• Collect Forensic Artifacts: Gathering logs, system configurations, and other relevant data is crucial for detecting potential compromises, understanding attack methodologies, and aiding in incident response.
• Ensure External Log Storage: Offloading logs to secure, external repositories prevents attackers from tampering with forensic evidence on compromised systems and ensures data availability for investigation.
• Apply Updates: Promptly applying all available security patches and fixed software releases is the most direct and effective way to remediate known vulnerabilities.
• Investigate Potential Compromises: Agencies are required to actively hunt for indicators of compromise (IoCs) related to attacks targeting CVE-2026-20127 and an older, related flaw, CVE-2022-20775. The inclusion of an older vulnerability in this directive suggests that it may be part of a common attack chain or frequently targeted by the same sophisticated threat actors.

This wave of SD-WAN vulnerabilities is not an isolated incident for Cisco. Just recently, the company released security updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software. These flaws, an authentication bypass (CVE-2026-20079) and a remote code execution (RCE) vulnerability (CVE-2026-20131), represent the highest level of risk. Crucially, they could be exploited remotely by unauthenticated attackers. This means an attacker requires no prior access or credentials to initiate an attack. A successful exploit of CVE-2026-20079 could grant root access to the underlying operating system, providing complete administrative control over the firewall management system. CVE-2026-20131 allows for the execution of arbitrary Java code as root on unpatched devices, essentially giving attackers the ability to run any command or deploy any payload they desire. The confluence of these highly critical vulnerabilities across different, yet interconnected, Cisco network management platforms underscores a broader challenge in securing complex network infrastructure and highlights the persistent focus of advanced threat actors on these high-value targets.

Implications for Organizations

The recurring discovery and active exploitation of critical vulnerabilities in fundamental network infrastructure components like SD-WAN managers and firewall management centers carry significant implications for organizations across all sectors:

1. Heightened Risk Exposure: The centralized nature of SD-WAN management means a single successful exploit can compromise the entire network’s control plane, leading to widespread disruption, data breaches, and potential operational paralysis.
2. Urgency of Patch Management: The confirmed active exploitation of these flaws elevates the necessity of timely patching from a best practice to an absolute imperative. Organizations must implement robust, expedited patch management processes, particularly for mission-critical network infrastructure. This includes not only applying vendor-provided fixes but also thorough testing in non-production environments to ensure stability.
3. Advanced Threat Actor Focus: The sophistication and persistence demonstrated by the threat actors exploiting these zero-days (some for years) suggest nation-state capabilities or highly organized criminal groups. Organizations must therefore elevate their defensive strategies to counter such advanced persistent threats (APTs).
4. Supply Chain Security: These incidents reinforce the importance of rigorous vetting and continuous monitoring of security postures of technology vendors. While vendors like Cisco actively work to identify and patch vulnerabilities, the reality of complex software development means flaws will inevitably emerge. Organizations must have contingency plans for vendor-discovered vulnerabilities.
5. Zero-Trust Principles: The concept of "never trust, always verify" becomes paramount. Even within seemingly secure internal networks, continuous authentication, authorization, and validation of all users, devices, and applications are essential to mitigate the impact of compromised credentials or rogue devices.
6. Enhanced Monitoring and Incident Response: Proactive threat hunting, comprehensive logging, and robust security information and event management (SIEM) systems are vital for detecting early indicators of compromise (IoCs). Organizations need well-defined incident response plans specifically tailored for network infrastructure breaches to minimize dwell time and contain potential damage.
7. Network Segmentation: Implementing granular network segmentation can help limit the lateral movement of attackers even if an SD-WAN controller or firewall is compromised, reducing the blast radius of an attack.

Future Outlook

The trajectory of cyber threats targeting network infrastructure indicates an intensifying landscape. As enterprises increasingly rely on sophisticated, software-defined networks for their operations, these systems will remain prime targets for malicious actors. Future trends are likely to include:

• Increased Focus on the Control Plane: Attackers will continue to target the management and control planes of SD-WAN and other network orchestration solutions, understanding that compromising these central points offers disproportionate access and impact.
• AI/ML in Attack and Defense: Both attackers and defenders will increasingly leverage artificial intelligence and machine learning to identify vulnerabilities, automate exploits, and enhance detection capabilities, creating an escalating technological arms race.
• Software Supply Chain Attacks: The complexity of modern software, including network operating systems and management tools, creates numerous opportunities for supply chain compromises, where vulnerabilities are introduced at earlier stages of development or through third-party components.
• Regulatory Scrutiny: Governments and regulatory bodies are likely to increase their oversight and mandate more stringent security requirements for critical network infrastructure, following the lead of directives like CISA’s ED 26-03.
• The Persistence of Zero-Days: Despite advancements in secure coding and testing, zero-day vulnerabilities will continue to emerge, requiring organizations to maintain a state of continuous vigilance and readiness for rapid response.

In conclusion, the latest disclosures from Cisco regarding actively exploited SD-WAN vulnerabilities serve as a stark reminder of the persistent and evolving threats facing modern enterprise networks. The imperative for organizations is clear: prioritize immediate patching, adopt a proactive and multi-layered security strategy, and cultivate a culture of continuous vigilance to safeguard their critical digital infrastructure against increasingly sophisticated adversaries. The battle for network integrity is ongoing, and robust security practices remain the cornerstone of resilience.