Cisco Warns of Exploited Catalyst SD-WAN Vulnerabilities

Cisco Warns of Exploited Catalyst SD-WAN Vulnerabilities

Cisco Warns of Exploited Catalyst SD-WAN Vulnerabilities

Cisco has confirmed that two recently patched Catalyst SD-WAN vulnerabilities are being actively exploited in the wild. The networking giant updated its advisory on March 5, 2026, to highlight the exploitation of CVE-2026-20128 and CVE-2026-20122, urging organizations to apply patches immediately to mitigate risks.

Key Vulnerabilities Under Attack

The exploited flaws include:

  • CVE-2026-20128: An information disclosure vulnerability in the Data Collection Agent (DCA) feature, allowing authenticated attackers to escalate privileges.
  • CVE-2026-20122: An arbitrary file overwrite bug in the Catalyst SD-WAN Manager API, enabling remote attackers to overwrite files and gain elevated access.

What These Vulnerabilities Mean

CVE-2026-20128 poses a critical risk by enabling privilege escalation, while CVE-2026-20122 allows attackers to manipulate system files remotely. Cisco notes these vulnerabilities are often chained with other flaws, such as CVE-2022-20775, to bypass authentication and establish persistent access.

Recent Zero-Day Threats

Cisco also disclosed a critical zero-day vulnerability, CVE-2026-20127, exploited to bypass authentication and gain admin privileges. Cybersecurity agencies like CISA have linked this flaw to attacks involving the UAT-8616 threat actor, active since 2023.

Threat Actor Landscape

UAT-8616, a sophisticated group, has been linked to campaigns targeting Catalyst SD-WAN systems. Meanwhile, another China-linked APT, UAT-9686, has been exploiting zero-day vulnerabilities in recent months, underscoring the evolving threat landscape.

Why Immediate Action Matters

Cisco’s advisory emphasizes that these vulnerabilities are being exploited in real-world attacks. Organizations using affected Catalyst SD-WAN systems must prioritize patching to prevent unauthorized access, data breaches, and system compromise.

Steps to Protect Your Systems

  1. Review Cisco’s advisory for patch details and apply updates immediately.
  2. Monitor network traffic for unusual activity, such as unauthorized file modifications.
  3. Restrict access to SD-WAN Manager APIs and enforce strong authentication protocols.

Conclusion

Cisco’s warning highlights the urgency of addressing Catalyst SD-WAN vulnerabilities. By applying patches and strengthening security measures, organizations can reduce their exposure to sophisticated cyberattacks. Stay informed about emerging threats and prioritize proactive defense strategies.

FAQs

  • What are the risks of unpatched Cisco Catalyst SD-WAN vulnerabilities? Unpatched systems face unauthorized access, privilege escalation, and potential data breaches.
  • How can I check if my systems are affected? Review Cisco’s advisory for affected versions and use the provided tools to assess your environment.
  • Are there workarounds if patching is delayed? Cisco recommends disabling unused APIs and restricting network access as temporary mitigations.
  • What is the UAT-8616 threat actor? A sophisticated group linked to advanced attacks on Cisco SD-WAN systems since 2023.
  • How often should I update my network devices? Apply patches as soon as they’re released, especially for critical vulnerabilities.