Cisco SD-WAN Manager CVE-2026-20128 & CVE-2026-20122 Under Active Exploitation — Patch Immediately
Cisco confirms active exploitation of two more Catalyst SD-WAN Manager vulnerabilities. CVE-2026-20122 allows arbitrary file overwrite via API, CVE-2026-20128 leaks DCA credentials. Here's the full breakdown, exploit chain, and remediation steps.
Two More Cisco SD-WAN Flaws — Now Actively Exploited
Just days after the critical CVE-2026-20127 zero-day forced emergency patching across federal agencies, Cisco PSIRT has confirmed two additional Catalyst SD-WAN Manager vulnerabilities are under active exploitation:
- CVE-2026-20122 — Arbitrary file overwrite via API (CVSS 7.1)
- CVE-2026-20128 — DCA credential disclosure (CVSS 5.5)
These aren't remote code execution bugs on their own — but chained together or combined with stolen credentials, they give attackers privilege escalation and persistent access to your SD-WAN management plane.
Previous coverage: CVE-2026-20127: Critical Cisco SD-WAN Zero-Day Exploited Since 2023 — the CVSS 10.0 authentication bypass that started it all.
Vulnerability Summary
| Detail | CVE-2026-20122 | CVE-2026-20128 | |--------|---------------|---------------| | Type | Arbitrary File Overwrite | Information Disclosure | | CVSS Score | 7.1 (High) | 5.5 (Medium) | | Attack Vector | Network (remote) | Local | | Authentication | Read-only API credentials | Local vManage credentials | | Affected Component | SD-WAN Manager API | Data Collection Agent (DCA) | | Impact | File overwrite + privilege escalation | DCA password disclosure | | Exploitation | Confirmed in the wild | Confirmed in the wild |
How the Exploits Work
CVE-2026-20122: API File Overwrite to Privilege Escalation
An authenticated attacker with read-only API credentials can overwrite arbitrary files on the SD-WAN Manager filesystem and escalate to vmanage user privileges.
Attacker (read-only API access)
│
▼
SD-WAN Manager API ──→ Arbitrary File Overwrite
│
▼
Overwrite system files
(e.g., cron jobs, config files)
│
▼
Gain vmanage user privileges
Why this matters: Many organisations grant read-only API access broadly for monitoring integrations, dashboards, and automation scripts. Attackers who compromise any system with stored API credentials can pivot to full SD-WAN Manager control.
CVE-2026-20128: DCA Credential Leak
A low-privileged local user can read a credential file containing the Data Collection Agent (DCA) password from the filesystem.
Low-privileged shell access
│
▼
Read DCA credential file from filesystem
│
▼
Gain DCA user privileges
│
▼
Access telemetry data + potential lateral movement
Why this matters: The DCA credential can be leveraged for further privilege escalation or to access sensitive telemetry data flowing through the SD-WAN fabric.
The Exploit Chain Threat
While each vulnerability has a moderate individual severity score, the real danger is chaining:
Scenario 1: External attacker
─────────────────────────────
Stolen read-only API creds (phishing, credential reuse, exposed .env)
└── CVE-2026-20122 → Overwrite files → vmanage privileges
└── CVE-2026-20128 → Read DCA credentials
└── Lateral movement across SD-WAN fabric
Scenario 2: Combined with CVE-2026-20127
─────────────────────────────────────────
CVE-2026-20127 → Authentication bypass → Admin access
└── CVE-2026-20122 → Arbitrary file overwrite → Persistence
└── CVE-2026-20128 → Harvest DCA credentials
└── Survive even if CVE-2026-20127 is patched
Cisco has not confirmed whether the same threat actor (UAT-8616) is behind the exploitation of these flaws, but the timing strongly suggests these vulnerabilities are being chained with previously disclosed SD-WAN bugs.
Am I Affected?
You are affected if you run Cisco Catalyst SD-WAN Manager (formerly vManage) on any version prior to the patched releases.
Quick Verification
# Check SD-WAN Manager version
show version
# Check for unexpected files modified recently
find /opt/cisco/sdwan -mtime -7 -type f 2>/dev/null
# Check for unknown API sessions
show user sessions
# Verify DCA credential file permissions
ls -la /etc/viptela/dca_credentials 2>/dev/nullCheck API Access Accounts
# List all users with API access
show running-config | include user|group
# Look for accounts you don't recognise
# Pay special attention to read-only accounts
# that may have been created by integrationsImmediate Remediation
Step 1: Patch Now
Cisco has released fixes. Upgrade to one of these versions based on your branch:
| Current Branch | Upgrade To | |---------------|-----------| | 20.9.x | 20.9.8.2 | | 20.12.x | 20.12.6.1 | | 20.15.x | 20.15.4.2 | | 20.18.x | 20.18.2.1 |
# Download patch from Cisco Software Download
# Verify hash before installing
request software install <patch-filename>
# Verify after install
show versionThere are no workarounds. Cisco explicitly states that upgrading is the only fix.
Step 2: Audit API Credentials
# Rotate ALL API credentials immediately
# Even read-only accounts are dangerous with CVE-2026-20122
# 1. List all API users
show running-config | section user
# 2. Disable any unused read-only accounts
config
no user <unused-account>
commit
# 3. Rotate passwords for all remaining API accounts
# 4. Check for API tokens in:
# - Monitoring scripts
# - CI/CD pipelines
# - Automation tools (Ansible, Terraform)
# - Dashboard integrationsStep 3: Restrict API Access
# Limit API access to trusted management IPs only
# On your firewall or SD-WAN Manager ACL:
ip access-list extended SDWAN-API-RESTRICT
permit tcp 10.20.0.0 0.0.0.255 host 10.20.1.1 eq 443
permit tcp 10.20.0.0 0.0.0.255 host 10.20.1.1 eq 8443
deny tcp any host 10.20.1.1 eq 443
deny tcp any host 10.20.1.1 eq 8443Step 4: Check for Compromise
# Look for signs of file overwrite (CVE-2026-20122)
find /opt/cisco/sdwan -newer /opt/cisco/sdwan/version -type f
# Check cron for persistence
crontab -l -u vmanage
ls -la /etc/cron.d/
# Check for unexpected outbound connections
netstat -tlnp | grep -v -E "(8443|830|8444|443)"
# Review API access logs for unusual patterns
# Large number of requests from a single read-only account
# API calls at unusual hours
# File-related API endpoints being called by read-only usersDetection Rules
SNMP Monitoring (Zabbix / LibreNMS)
If you're running SNMP-based monitoring, add these detection items:
# Monitor for configuration changes
Item: snmptrap["ciscoConfigManEvent"]
Trigger: SD-WAN Manager config changed on {HOST.NAME}
Severity: High
# Monitor for file system changes
Item: vfs.file.cksum["/opt/cisco/sdwan/dca_credentials"]
Trigger: DCA credential file modified on {HOST.NAME}
Severity: Critical
# Monitor API process
Item: proc.num["vmanage-api"]
Trigger: SD-WAN API process count changed on {HOST.NAME}
Severity: Warning
Related: SNMP Traps & Alerts Receiver Setup — configure your NMS to catch these events.
Syslog / SIEM Rules
# Alert on API authentication from new source IPs
rule "SD-WAN API New Source IP"
when
event.category == "authentication"
AND event.source == "sdwan-manager"
AND NOT source.ip IN [known_management_ips]
then
alert(severity: HIGH)
# Alert on file overwrite attempts via API
rule "SD-WAN API File Operations"
when
event.action MATCHES "file.*write|file.*overwrite|put.*file"
AND user.role == "read-only"
then
alert(severity: CRITICAL)
What Makes This Different from CVE-2026-20127
| Aspect | CVE-2026-20127 | CVE-2026-20122 + 20128 | |--------|---------------|----------------------| | Authentication | None required | Requires valid credentials | | CVSS | 10.0 (Critical) | 7.1 + 5.5 | | Attack vector | Fully remote | Remote API + Local | | Primary risk | Complete takeover | Privilege escalation + persistence | | Threat actor | UAT-8616 confirmed | Not yet attributed | | CISA directive | ED 26-03 | Added to KEV catalog |
The key difference: CVE-2026-20127 was a "walk in the front door" vulnerability. These new CVEs are post-authentication privilege escalation bugs — the kind attackers use to deepen access and maintain persistence after an initial foothold.
The Bigger Picture: SD-WAN Is Under Siege
This is the third wave of actively exploited Cisco SD-WAN vulnerabilities in less than two weeks:
| Date | Vulnerability | Severity | |------|--------------|----------| | Feb 24 | CVE-2026-20127 (Auth Bypass) | CVSS 10.0 | | Feb 25 | CISA Emergency Directive 26-03 | — | | Mar 5 | CVE-2026-20122 (File Overwrite) | CVSS 7.1 | | Mar 5 | CVE-2026-20128 (Credential Leak) | CVSS 5.5 |
The pattern is clear: attackers are systematically exploiting the SD-WAN management plane. If you haven't already, treat your SD-WAN infrastructure as a Tier 1 security priority.
Related: CISA Cisco SD-WAN Emergency Directive — the directive that started the patching scramble.
Recommended Actions Summary
- Patch immediately to 20.9.8.2, 20.12.6.1, 20.15.4.2, or 20.18.2.1
- Rotate all API credentials — especially read-only accounts
- Restrict API access to trusted management networks only
- Audit for compromise — check for file modifications, unknown cron jobs, unexpected sessions
- Enable external logging — syslog, SNMP traps, and NetFlow to your SIEM
- Review the previous CVE-2026-20127 advisory — if you were compromised before, these new flaws may have been used for persistence