Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild

The networking giant has added the recently patched CVE-2026-20128 and CVE-2026-20122 to the list of exploited vulnerabilities.

Cisco is warning customers that two recently patched Catalyst SD-WAN vulnerabilities are being exploited in the wild.

The networking giant informed customers on February 25 about the availability of patches for five Catalyst SD-WAN flaws, including critical and high-severity issues that can be exploited to access vulnerable systems and elevate privileges to root.

Cisco updated its advisory on March 5 to warn that it has become aware of active exploitation for two of the five vulnerabilities: CVE-2026-20128 and CVE-2026-20122.

CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature of Catalyst SD-WAN Manager, allowing an authenticated, local attacker to gain DCA user privileges on the targeted system.

CVE-2026-20122 is an arbitrary file overwrite bug affecting the API of the Catalyst SD-WAN Manager. It allows a remote, authenticated attacker to overwrite ...