About:
Multiple vulnerabilities affecting Cisco Catalyst SD-WAN Manager (vManage) are confirmed to be actively exploited in the wild. The flaws include an arbitrary file overwrite vulnerability and an information disclosure issue that could allow attackers to escalate privileges, retrieve sensitive credentials, or compromise SD-WAN management infrastructure. Successful exploitation may enable attackers to gain elevated access within the SD-WAN environment and potentially pivot to additional network systems.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Arbitrary File Overwrite Vulnerability in Cisco Catalyst SD-WAN Manager
CVSS Score: 5.4 (Medium, CVSS v3.1)
Identifier: CVE-2026-20122
PoC or Exploitation:
Cisco has confirmed that CVE-2026-20122 is being actively exploited in the wild.
Update/ Patch:
Cisco has released fixed software versions for Catalyst SD-WAN Manager. Organizations should upgrade according to the affected release train.
General fixed versions include:
- Versions earlier than 20.9: migrate to a supported fixed release
- Version 20.9: fixed in 20.9.8.2
- Version 20.11: fixed in 20.12.6.1
- Version 20.12: fixed in 20.12.5.3 and 20.12.6.1
- Version 20.13, 20.14, 20.15: fixed in 20.15.4.2
- Version 20.16 and 20.18: fixed in 20.18.2.1
Cisco advisory and patch guidance:
Description:
CVE-2026-20122 is an arbitrary file overwrite vulnerability in the API of Cisco Catalyst SD-WAN Manager (vManage). The vulnerability exists due to improper file handling in the API interface. An authenticated remote attacker with valid API access, including low-privileged or read-only credentials, can upload a malicious file that overwrites arbitrary files on the local file system.
Successful exploitation may allow attackers to gain elevated privileges on the system, potentially escalating access to vManage administrative privileges or enabling further compromise of the SD-WAN management infrastructure.
Mitigation Recommendation:
Immediately upgrade Cisco Catalyst SD-WAN Manager to the fixed versions listed in Cisco's advisory.
Restrict API access and administrative interfaces to trusted management networks only.
Review and rotate API credentials, especially read-only accounts that may have been exposed.
Monitor logs for suspicious API activity, unexpected file uploads, or unauthorized configuration changes.
Information Disclosure Vulnerability in Cisco Catalyst SD-WAN Manager
CVSS Score: 7.5 (High, CVSS v3.1)
Identifier: CVE-2026-20128
PoC or Exploitation:
Cisco has confirmed that CVE-2026-20128 is being actively exploited in the wild.
Update/ Patch:
Cisco has released software updates that address CVE-2026-20128 in Cisco Catalyst SD-WAN Manager. Organizations should upgrade to a fixed version according to Cisco's advisory.
Cisco advisory and patch guidance:
Description:
CVE-2026-20128 is an information disclosure vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager. The issue occurs because a credential file containing the DCA password may exist on the system. A local attacker with sufficient privileges could access this file and retrieve the stored credentials.
If exploited, the attacker could use the recovered credentials to authenticate to another affected system and gain DCA user privileges. This could enable unauthorized access to management functions and facilitate lateral movement within the SD-WAN environment.
Mitigation Recommendation:
Upgrade Cisco Catalyst SD-WAN Manager to the fixed software versions provided in Cisco's advisory.
Restrict access to the underlying operating system and management interfaces to trusted administrators only.
Review and limit local shell or administrative access to SD-WAN management appliances.
Monitor systems for unauthorized access attempts or unusual activity involving the Data Collection Agent service.
Rotate credentials associated with DCA services and related management accounts if exposure is suspected.