Cisco has issued a warning to its customers regarding two vulnerabilities in its Catalyst SD-WAN products that are currently being exploited. These vulnerabilities, which were recently patched, pose significant security risks if left unaddressed.
Exploitation of Recent Vulnerabilities
On February 25, Cisco released patches for several vulnerabilities affecting Catalyst SD-WAN, including critical and high-severity issues. These flaws could potentially allow unauthorized access to systems and privilege escalation to root level. A subsequent update on March 5 highlighted active exploitation of two specific vulnerabilities: CVE-2026-20128 and CVE-2026-20122.
The vulnerability CVE-2026-20128 concerns an information disclosure issue within the Data Collection Agent (DCA) feature of the Catalyst SD-WAN Manager. It enables a local attacker with authentication to gain DCA user privileges. Meanwhile, CVE-2026-20122 involves an arbitrary file overwrite vulnerability in the API of the Catalyst SD-WAN Manager, allowing remote, authenticated attackers to overwrite files and gain elevated system privileges.
Details of the Exploited Vulnerabilities
While Cisco has not disclosed specific details about the attacks exploiting these vulnerabilities, they are believed to be part of a series of chained exploits. This announcement follows a prior warning regarding a critical zero-day vulnerability, CVE-2026-20127, which can be exploited to bypass authentication and obtain administrative privileges remotely.
Authorities such as CISA have noted that CVE-2026-20127 has been used in combination with an older vulnerability, CVE-2022-20775, to bypass security measures and establish a foothold on the targeted systems. These vulnerabilities are associated with sophisticated threat actor UAT-8616, known for its activity since 2023.
Ongoing Security Challenges
The precise nature of the campaigns exploiting these vulnerabilities remains unclear. However, Cisco’s recent advisories underscore the ongoing threat landscape, including zero-day attacks linked to a China-based advanced persistent threat group identified as UAT-9686.
In light of these developments, Cisco continues to urge its customers to apply the available patches promptly. Ensuring systems are up-to-date remains crucial to mitigating the risks posed by these exploits. Staying informed and vigilant is essential as new vulnerabilities and attacks emerge.
For further details, users are encouraged to review Cisco’s security advisories and related updates from cybersecurity agencies.
