Microsoft · U.S. · The Register
More Cisco SD-WAN flaws battered in attacks
Compiled by KHAO Editorial — aggregated from 1 outlet. See llms.txt for citation guidance.
◌ Single Source
America's lead cyber-defense agency has warned that three Cisco Catalyst SD-WAN Manager bugs are under attack, and given federal agencies four days to patch the security holes.
Key facts
- The first flaw, CVE-2026-20128, is an information disclosure vulnerability in the data collection agent (DCA) feature of Cisco Catalyst SD-WAN Manager that allows unauthenticated, remote attackers
- CVE-2026-20133 is another information disclosure bug that allows unauthenticated, remote attackers to view sensitive information on affected systems
- At press time, the networking vendor's advisory still doesn't list CVE-2026-20133 as being under active exploitation
- And finally, CVE-2026-20122 is an arbitrary file overwrite flaw that could let an authenticated remote attacker with valid read-only API credentials upload a malicious file, overwrite arbitrary local
Summary
The US Cybersecurity and Infrastructure Security Agency (CISA) added all three to its Known Exploited Vulnerabilities Catalog on Monday, joining at least two other Cisco SD-WAN CVEs on the list, and set a Thursday deadline for federal agencies to fix. Cisco's Catalyst SD-WAN Manager platform, formerly known as vManage, sits at the center of many organizations' SD-WAN deployments and can manage up to 6,000 edge devices in a cluster. The first flaw, CVE-2026-20128, is an information disclosure vulnerability in the data collection agent (DCA) feature of Cisco Catalyst SD-WAN Manager that allows unauthenticated, remote attackers to gain DCA user privileges on an affected system. CVE-2026-20133 is another information disclosure bug that allows unauthenticated, remote attackers to view sensitive information on affected systems.