Cisco Warns of Exploited Catalyst SD-WAN Vulnerabilities
Cisco has confirmed that two recently patched Catalyst SD-WAN vulnerabilities are being actively exploited in the wild. The networking giant updated its advisory on March 5, 2026, to highlight the exploitation of CVE-2026-20128 and CVE-2026-20122, urging organizations to apply patches immediately to mitigate risks.
Key Vulnerabilities Under Attack
The exploited flaws include:
- CVE-2026-20128: An information disclosure vulnerability in the Data Collection Agent (DCA) feature, allowing authenticated attackers to escalate privileges.
- CVE-2026-20122: An arbitrary file overwrite bug in the Catalyst SD-WAN Manager API, enabling remote attackers to overwrite files and gain elevated access.
What These Vulnerabilities Mean
CVE-2026-20128 poses a critical risk by enabling privilege escalation, while CVE-2026-20122 allows attackers to manipulate system files remotely. Cisco notes these vulnerabilities are often chained with other flaws, such as CVE-2022-20775, to bypass authentication and establish persistent access.
Recent Zero-Day Threats
Cisco also disclosed a critical zero-day vulnerability, CVE-2026-20127, exploited to bypass authentication and gain admin privileges. Cybersecurity agencies like CISA have linked this flaw to attacks involving the UAT-8616 threat actor, active since 2023.
Threat Actor Landscape
UAT-8616, a sophisticated group, has been linked to campaigns targeting Catalyst SD-WAN systems. Meanwhile, another China-linked APT, UAT-9686, has been exploiting zero-day vulnerabilities in recent months, underscoring the evolving threat landscape.
Why Immediate Action Matters
Cisco’s advisory emphasizes that these vulnerabilities are being exploited in real-world attacks. Organizations using affected Catalyst SD-WAN systems must prioritize patching to prevent unauthorized access, data breaches, and system compromise.
Steps to Protect Your Systems
- Review Cisco’s advisory for patch details and apply updates immediately.
- Monitor network traffic for unusual activity, such as unauthorized file modifications.
- Restrict access to SD-WAN Manager APIs and enforce strong authentication protocols.
Conclusion
Cisco’s warning highlights the urgency of addressing Catalyst SD-WAN vulnerabilities. By applying patches and strengthening security measures, organizations can reduce their exposure to sophisticated cyberattacks. Stay informed about emerging threats and prioritize proactive defense strategies.
FAQs
- What are the risks of unpatched Cisco Catalyst SD-WAN vulnerabilities? Unpatched systems face unauthorized access, privilege escalation, and potential data breaches.
- How can I check if my systems are affected? Review Cisco’s advisory for affected versions and use the provided tools to assess your environment.
- Are there workarounds if patching is delayed? Cisco recommends disabling unused APIs and restricting network access as temporary mitigations.
- What is the UAT-8616 threat actor? A sophisticated group linked to advanced attacks on Cisco SD-WAN systems since 2023.
- How often should I update my network devices? Apply patches as soon as they’re released, especially for critical vulnerabilities.








