CISA Confirms Active Exploitation of Three Cisco Networking Vulnerabilities

CISA reports three flaws affecting Cisco Catalyst SD-WAN Manager networking appliances as actively exploited. 

Vulnerabilities summary:

• CVE-2026-20122 - A file integrity vulnerability in the API interface of Cisco networking products that allows an authenticated user with read-only privileges to overwrite critical system files. By sending specially crafted requests to the API, an attacker can bypass permission levels to modify the underlying operating system. This can lead to a complete loss of system integrity or persistent unauthorized access.
• CVE-2026-20128 - An information disclosure vulnerability that allows an attacker to access an unsecured password file within the appliance's file system. The flaw stems from improper access controls on sensitive configuration files, letting an actor retrieve credentials without high-level permissions. Once the password file is obtained, attackers can use the decrypted or plain-text credentials to log into the system with administrative rights.
• CVE-2026-20133 - A broken access control vulnerability resulting from poorly configured restrictions that allows unauthenticated attackers to view sensitive system information. The technical mechanism involves a failure to enforce authentication checks on specific data-retrieval endpoints. This exposure provides attackers with the reconnaissance data needed to facilitate further stages of a multi-stage network compromise.

Security researchers from VulnCheck previously warned that defenders should prioritize these flaws, especially CVE-2026-20133. 

All versions of Cisco Catalyst SD-WAN Manager are affected regardless of configuration. Versions 20.18 and later are immune to CVE-2026-20128 and CVE-2026-20129. 

Fixed releases are 20.9.8.2, 20.12.5.3, 20.15.4.2, and 20.18.2.1. 

CISA has issued a binding operational directive requiring federal agencies to apply the necessary security updates by April 23, 2026.