Cisco SD-WAN Manager Vulnerabilities Exploited: Critical Fixes Revealed
Cisco has issued an urgent warning about two SD-WAN Manager vulnerabilities being actively exploited by attackers. The flaws, CVE-2026-20128 and CVE-2026-20122, were patched in February 2025 but are now under active attack. These vulnerabilities highlight the importance of timely software updates in network security.
Understanding the Exploited Vulnerabilities
CVE-2026-20128: Data Collection Agent Privilege Escalation
- Allows authenticated attackers to gain elevated privileges via a credential file
- Requires valid vmanage credentials but exploits weak file system permissions
- Enables lateral movement across network devices
CVE-2026-20122: API File Overwrite Vulnerability
- Remote attackers can overwrite system files and gain administrative access
- Exploits insecure API handling in Cisco SD-WAN Manager
- Requires no physical access to the target system
Broader Security Implications
Cisco also addressed 48 vulnerabilities in its Secure Firewall products, including:
- CVE-2026-20079: Authentication bypass flaw in Firewall Management Center
- CVE-2026-20131: Remote code execution vulnerability in the same software
The Dutch National Cyber Security Center has warned that these flaws could see public proof-of-concept exploits within weeks. Network administrators are urged to apply patches immediately.
Protecting Your Network: Cisco’s Recommendations
- Upgrade to the latest SD-WAN Manager software version
- Restrict access to vmanage credentials using role-based policies
- Monitor API activity for unusual file modification patterns
- Implement network segmentation to limit lateral movement
Stay Ahead of Cyber Threats
Subscribe to our cybersecurity alerts to receive instant notifications about emerging vulnerabilities and mitigation strategies. Proactive security management isn’t optional—it’s essential in today’s threat landscape.
Frequently Asked Questions
1. Are Cisco SD-WAN Manager vulnerabilities being actively exploited?
Yes, Cisco confirmed exploitation of CVE-2026-20128 and CVE-2026-20122 in the wild. Attackers are leveraging these flaws to gain unauthorized access to network infrastructure.
2. What makes these vulnerabilities particularly dangerous?
They allow privilege escalation and remote code execution, enabling attackers to manipulate network configurations and move laterally across systems.
3. How can I verify if my systems are affected?
Check your SD-WAN Manager version against Cisco’s advisory. Vulnerable versions include all releases prior to 20.10.0.
4. What about the other Cisco firewall vulnerabilities?
48 total vulnerabilities were patched, with two rated critical. These include authentication bypass and remote code execution flaws in Secure Firewall products.
5. Why should I care about SD-WAN security?
SD-WAN manages critical network traffic. A compromise could disrupt business operations, expose sensitive data, or create backdoors for future attacks.







