Security alert: active vulnerabilities in Cisco SD-WAN Manager threaten thousands of devices and demand urgent update

Modern networks are increasingly dependent on centralized platforms to manage hundreds or thousands of devices; this convenience, however, makes management panels high-value targets. Cisco Catalyst SD-WAN Manager - the management solution that brings together in one board the control of hundreds or thousands of SD-WAN elements - is back at the center of the news because Cisco itself confirmed that two additional security failures are being exploited in real environments, and has asked administrators to update their equipment as soon as possible.

The problems reported are not theoretical: there is active exploitation in nature According to the company's recent update. Cisco extended the warning he launched in February and noted that the vulnerabilities identified as CVE-2026-20122 and CVE-2026-20128 have been used by attackers. The official note is available at the Cisco Security Centre at this link: Cisco Security Advisory.

In order to understand gravity, it is appropriate to set on access vectors: the vulnerability listed as CVE-2026-20122 allows arbitrary overwriting of files and, although its remote operation requires reading-only credentials with access to the API, this does not make it harmless; by manipulating critical files an attacker can alter configurations, plant back doors or prepare further steps to scale privileges. The technical description of this failure is available in the NVD: CVE-2026-20122 (NVD).

The other active vulnerability, CVE-2026-20128, is less severe according to classification but equally worrying because it allows the filtration of sensitive information if a local attacker has valid credentials in vManage. Details can be reviewed in the NIST vulnerability register: CVE-2026-20128 (NVD). Cisco points out that both failures affect the software of Catalyst SD-WAN Manager regardless of how the devices are configured, which extends the risk surface.

This notice comes in context: recently the exploitation sustained from at least 2023 of a critical vulnerability in the same management suite, identified as CVE-2026-20127, which allowed sophisticated attackers to add "rogue" pairs (false peers) to compromised SD-WAN networks and thus insert malicious devices that seem legitimate. Information on this violation is also provided in the public databases: CVE-2026-20127 (NVD).

The sensitivity of the problem prompted responses from the authorities. In the United States, the Infrastructure and Cybersecurity Security Agency (CISA) launched the Emergency Directive ED 26-03, which forces federal agencies to invent Cisco SD-WAN devices, preserve forensic devices, outsource records, deploy patches and review possible incidents related to these vulnerabilities. The full text of the directive is available here: CISA ED 26-03.

At the same time, Cisco has published updates for other sensitive products, such as its Secure Firewall Management Center, where errors were corrected that could allow from avoiding authentication to running remote code with root privileges (CVE-2026-20079 and CVE-2026-20131); the references in the vulnerability catalogue allow to follow the technical track of these problems: CVE-2026-20079 (NVD) and CVE-2026-20131 (NVD).

What should an administrator do now? The first step is to apply the corrected versions of the software that Cisco has made available: the company insists that updating is the most reliable way to remove these attack vectors. In addition, it is advisable to restrict access to management APIs, review and rotate credentials with priority, and segment the network to separate the management plan from the other production traffic, so that a break in the user environment does not allow a direct jump to the central controller.

It is not enough to install patches: it is appropriate to investigate the possible previous activity. Cisco and the agencies have recommended collecting and keeping records, looking for signs of unauthorised peer creation, unexpected changes in templates or policies, new certificates issued without control and unusual outgoing traffic to unknown destinations. This forensic work is key to distinguishing a preventive update from a response to an already consumed intrusion. Cisco provides guides and technical details in his safety note: Cisco Security Advisory, and the CISA directive explains minimum operating steps for federal environments: CISA ED 26-03.

The lesson left by this episode is clear: the pieces that centralize control on critical infrastructure concentrate risk. A failure in the manager not only compromises an isolated device, but potentially opens the door to the entire network that depends on it. Therefore, combining timely updates with good safety hygiene - access control, external records, segmentation and continuous monitoring - is the only way to reduce the impact of such failures.

If you manage Catalyst SD-WAN Manager, plan a maintenance window to apply the patches and launch a comprehensive check of your environment. It takes over the official documentation of Cisco and the recommendations of authorities such as CISA so that the intervention is complete and does not leave loose ends. Useful links to start with: Cisco's own note ( advisory), the NVD entries on the above-mentioned EQs ( CVE-2026-20122, CVE-2026-20128, CVE-2026-20127) and the CISA Directive ( ED 26-03).