Cisco Catalyst SD-WAN Vulnerabilities
Actively exploited. At least one CVE in this advisory is listed in the CISA Known Exploited Vulnerabilities catalog — exploitation has been observed in the wild. Treat remediation as urgent.
Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v Security Impact Rating: Critical CVE: CVE-2026-20122,CVE-2026-20126,CVE-2026-20128,CVE-2026-20129,CVE-2026-20133
CSIRTS triage
- What
- Multiple vulnerabilities could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files.
- Who is affected
- Deployments of Cisco Catalyst SD-WAN Manager.
- Urgency
- Remediation is urgent due to the critical severity and confirmed exploitation of these vulnerabilities.
- Action
- Customers are strongly recommended to upgrade to the fixed software indicated in the advisory.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Catalyst SD-WAN Manager
Get an email when a new Catalyst SD-WAN Manager advisory drops — max one per day, one-click unsubscribe.
Details
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Exploitation confirmedCVE-2026-20122Already exploited in the wild (CISA KEV) — the prediction phase is over. Patch now. Riskier than 93% of all scored CVEs.
- Exploitation confirmedCVE-2026-20126Already exploited in the wild (CISA KEV) — the prediction phase is over. Patch now. Riskier than 22% of all scored CVEs.
- Exploitation confirmedCVE-2026-20128Already exploited in the wild (CISA KEV) — the prediction phase is over. Patch now. Riskier than 92% of all scored CVEs.
- Exploitation confirmedCVE-2026-20129Already exploited in the wild (CISA KEV) — the prediction phase is over. Patch now. Riskier than 49% of all scored CVEs.
- Exploitation confirmedCVE-2026-20133Already exploited in the wild (CISA KEV) — the prediction phase is over. Patch now. Riskier than 95% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-20122 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-20126 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-20128 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-20129 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-20133 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- criticalexploitedCVE-2026-20133: Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulne…cisa-kev
- criticalexploitedCVE-2026-20128: Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerabilitycisa-kev
- criticalexploitedCVE-2026-20122: Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerabilitycisa-kev
Recent advisories for Cisco Catalyst SD-WAN
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- criticalexploitedCisco Catalyst SD-WAN Controller Authentication Bypass Vulnerabilitycisco-psirt · 2026-06-16
- highexploitedCisco Catalyst SD-WAN Controller Authentication Bypass Vulnerabilitycisco-psirt · 2026-06-16
- unknownNCSC-2026-0199 [1.00] [M/H] Vulnerability fixed in Cisco Catalyst SD-WAN Managerncsc-nl · 2026-06-16
- mediumexploitedCisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerabilitycisco-psirt · 2026-06-15
- criticalexploitedCVE-2026-20262: Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerabilitycisa-kev · 2026-06-15
- unknownexploitedCisco Catalyst SD-WAN Controller, Catalyst SD-WAN Manager, and Catalyst SD-WAN Validator Authenticated Privile…cisco-psirt · 2026-06-12
More from Cisco Security Advisories
- unknownCisco Advance Notification for Publication of July 15, 2026, Security Advisories2026-07-08
- criticalCisco Identity Services Engine Remote Code Execution and Information Disclosure Vulnerabilities2026-07-06
- highCisco Catalyst Center Arbitrary File Read Vulnerability2026-07-06
- highClamAV Vulnerabilities Affecting Cisco Products: July 20262026-07-02
- highCisco Advance Notification for Publication of July 1, 2026, Security Advisories2026-07-01