Cisco SD-WAN Manager Flaws Actively Exploited for Web Shells

Cisco has confirmed that two vulnerabilities in Catalyst SD-WAN Manager are being actively exploited in the wild. The flaws—CVE-2026-20122 and CVE-2026-20128—enable attackers to overwrite files and steal credentials, with security researchers observing web shell deployments across affected systems.

The Vulnerabilities

CVE-2026-20122 (CVSS 7.1) is an arbitrary file overwrite vulnerability in the SD-WAN Manager API. Improper file handling allows an authenticated attacker with read-only API access to write arbitrary files to the local filesystem. Attackers are using this to drop web shells, modify SSH authorized_keys files, and plant backdoor configurations.

CVE-2026-20128 (CVSS 5.5) exposes Data Collection Agent (DCA) credentials. A misconfigured credential file can be read by local attackers, enabling lateral movement between SD-WAN Manager deployments that share DCA configurations.

These vulnerabilities are distinct from CVE-2026-20127, the critical authentication bypass we covered in February. While that flaw allowed unauthenticated access, these new CVEs require some level of valid credentials—but read-only API access is often granted broadly in enterprise environments.

Active Exploitation

Cisco's Product Security Incident Response Team (PSIRT) updated its advisory on March 5, 2026, explicitly noting exploitation in the wild. Security researchers at watchTowr reported observing exploitation attempts from numerous unique IP addresses globally, with a notable activity spike on March 4.

"Third-party reporting has indicated observed exploitation attempts from numerous unique IP addresses and claims of web shell deployment," Cisco stated in its advisory.

The attack chain typically involves using CVE-2026-20128 to obtain DCA credentials, then leveraging CVE-2026-20122 to write malicious files—including web shells for persistent access.

Affected Versions and Patches

Cisco has released fixes across multiple branches:

• 20.9.8.2
• 20.12.5.3
• 20.12.6.1
• 20.15.4.2
• 20.18.2.1

Organizations running earlier versions should update immediately. There are no workarounds; patching is the only mitigation.

Recommended Actions

1. Patch immediately — Apply the appropriate fixed version for your deployment
2. Audit API access — Review which accounts have API credentials, even read-only
3. Check for web shells — Scan SD-WAN Manager instances for unexpected files in web directories
4. Rotate credentials — If DCA credentials may have been exposed, rotate them across all connected deployments
5. Monitor logs — Look for unusual file write operations or authentication from unexpected sources

Why This Matters

This marks the second major Cisco SD-WAN exploitation campaign in recent weeks. Combined with the critical Cisco FMC vulnerabilities disclosed last week—which also carry CVSS 10.0 scores—Cisco network infrastructure remains a high-value target for threat actors.

The broader pattern is clear: enterprise network management platforms are increasingly under attack. Organizations relying on centralized SD-WAN management should treat these systems as critical assets requiring priority patching and continuous monitoring. For more context on Cisco security announcements, keep an eye on our ongoing coverage.