Cisco Patches Actively Exploited Vulnerabilities in Catalyst SD-WAN Manager
Take action: Make sure your Catalyst SD-WAN Manager is isolated from the internet and accessible only from trusted networks. Then plan a quick patch cycle, because every isolation will be breached given enough time.
Learn More
Cisco reports five security vulnerabilities in its Catalyst SD-WAN Manager, formerly known as vManage. These vulnerabilities allow attackers to bypass authentication, escalate privileges to root, and overwrite system files.
Two of the flaws are actively exploited.
Vulnerabilities summary:
- CVE-2026-20129 (CVSS score 9.8) - An authentication bypass vulnerability in the API user authentication module. Unauthenticated remote attackers can send crafted API requests to bypass security checks and gain netadmin privileges without valid credentials. This allows full administrative control over the management interface.
- CVE-2026-20126 (CVSS score 7.8) - A privilege escalation vulnerability in the REST API caused by an insufficient authentication mechanism. A local attacker with low-level access can send specific requests to the API to gain root privileges on the underlying operating system.
- CVE-2026-20133 (CVSS score 7.5) - An information disclosure vulnerability resulting from insufficient filesystem access restrictions. Unauthenticated remote attackers can access the API to read sensitive system files, potentially exposing configuration data or credentials.
- CVE-2026-20122 (CVSS score 7.1) - An arbitrary file overwrite vulnerability in the API interface involving improper file handling. Authenticated attackers with read-only API access can upload malicious files to overwrite existing system files and escalate to vmanage user privileges. Cisco reports it as actively exploited.
- CVE-2026-20128 (CVSS score 5.5) - An information disclosure vulnerability in the Data Collection Agent (DCA) feature. Local attackers with vmanage credentials can read a stored credential file containing the DCA password, allowing them to access other connected systems. Cisco reports it as actively exploited.
Exploitation allows attackers to move laterally through the network, exfiltrate sensitive data, and disrupt critical operations.
All versions of Cisco Catalyst SD-WAN Manager are affected regardless of configuration. Versions 20.18 and later are immune to CVE-2026-20128 and CVE-2026-20129.
Fixed releases are 20.9.8.2, 20.12.5.3, 20.15.4.2, and 20.18.2.1.
There are no workarounds for these vulnerabilities, making immediate patching the only effective defense. Cisco recommends placing SD-WAN control components behind firewalls and restricting access to trusted hosts only. Administrators should also disable unnecessary services like HTTP and FTP, change default passwords, and monitor logs for unauthorized API requests or suspicious file uploads.
