Cisco SD-WAN Flaws CVE-2026-20122 and 20128 Under Active Attack

Cisco has confirmed active exploitation of two additional vulnerabilities in Catalyst SD-WAN Manager, tracked as CVE-2026-20122 and CVE-2026-20128. Security researchers at watchTowr observed attackers deploying web shells, with peak activity occurring on March 4.

This disclosure comes weeks after we reported on CVE-2026-20127, a separate critical authentication bypass in the same product line. Together, these vulnerabilities represent a sustained campaign against Cisco's SD-WAN infrastructure.

The Vulnerabilities

CVE-2026-20122 (CVSS 5.4) is an arbitrary file overwrite vulnerability in the Catalyst SD-WAN Manager API. Improper file handling allows an attacker with read-only API credentials to write arbitrary files to the local filesystem. Attackers are using this to drop web shells, modified SSH authorized_keys files, and malicious configuration changes.

CVE-2026-20128 (CVSS 7.5) is a credential exposure flaw tied to the Data Collection Agent (DCA) feature. A credential file persists on disk in a way that allows attackers to extract DCA credentials and authenticate elsewhere—enabling lateral movement between SD-WAN Manager deployments.

The attack chain typically follows this pattern:

1. Obtain read-only API credentials (often through phishing or credential stuffing)
2. Exploit CVE-2026-20122 to write a web shell
3. Use CVE-2026-20128 to extract DCA credentials
4. Pivot to additional SD-WAN infrastructure

Active Exploitation

According to Cisco's Product Security Incident Response Team, exploitation was first detected in early March 2026. watchTowr researchers observed exploitation attempts from numerous unique IP addresses worldwide, with a notable spike on March 4.

"In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122," the company stated in its advisory update.

The threat actors appear to be the same cluster, tracked as UAT-8616, that previously exploited CVE-2026-20127. This group has demonstrated persistent interest in SD-WAN infrastructure, likely due to the strategic position these systems hold in enterprise networks.

Affected Versions and Patches

Cisco has released fixed versions for all supported branches:

Branch	Fixed Version
20.9.x	20.9.8.2
20.12.x	20.12.5.3 or 20.12.6.1
20.15.x	20.15.4.2
20.18.x	20.18.2.1

Administrators should verify their current version and upgrade immediately. There are no workarounds—patching is the only mitigation.

Why SD-WAN is a Target

SD-WAN controllers manage traffic routing across enterprise wide-area networks. Compromising these systems gives attackers:

• Visibility into all network traffic flows
• Ability to redirect traffic through attacker-controlled infrastructure
• Persistence that survives endpoint remediation
• Lateral movement paths to branch offices and cloud environments

This mirrors the threat model we've seen with other network infrastructure attacks. Edge devices and network controllers are increasingly the initial access vector of choice for sophisticated threat actors.

Recommended Mitigations

Beyond patching, Cisco recommends these defensive measures:

1. Restrict API access to necessary personnel only
2. Disable HTTP for admin portal and require HTTPS
3. Change default administrator passwords across all devices
4. Monitor traffic logs for suspicious web shell activity
5. Audit authorized_keys files on all SD-WAN appliances
6. Deactivate unused services including HTTP and FTP

Organizations should also hunt for indicators of compromise. Web shells are often planted in web-accessible directories with innocuous names. Check for:

• Recently created .jsp, .php, or .aspx files in web roots
• Unexpected SSH authorized_keys entries
• DCA credential file access outside normal operations
• Outbound connections to unfamiliar IP addresses

The Bigger Picture

Cisco SD-WAN has now had three critical vulnerabilities exploited in the wild within a month. This sustained targeting suggests threat actors have identified SD-WAN infrastructure as a high-value target worth investing exploitation resources.

For organizations that haven't patched, the window of safety has closed. Assume compromise and hunt accordingly. For those evaluating SD-WAN solutions, this incident underscores the importance of vendor security posture in procurement decisions.

Organizations running Cisco infrastructure should also be tracking upcoming TLS ClientAuth certificate changes scheduled for June 2026, which may require configuration updates across SD-WAN deployments.

We'll continue tracking this campaign as additional details emerge.