Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Cisco Catalyst SD-WAN active exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 64
2 unique sources, 2 articles

Summary

Hide ▲

Cisco confirmed active exploitation of two recently patched Catalyst SD-WAN vulnerabilities, creating immediate risk for exposed systems that have not been fully remediated. The affected flaws are CVE-2026-20128 and CVE-2026-20122. Cisco said the attacks appear to involve chaining with other flaws, which can increase the chance of privilege escalation and deeper system compromise. The company also said it is unclear whether the exploits are part of the same campaign or separate operations.

Cases

Cisco SD-WAN CVE-2026-20182 Exploitation, Patching, and KEV Response (4)

Related Happenings

Cisco Secure Workload REST API validation/authentication flaw (CVE-2026-20223)

Vulnerability
First: 21.05.2026 15:04 Last: 21.05.2026 15:04 Sources 1

About this happening: **Cisco Secure Workload Cluster Software** was patched for **CVE-2026-20223**, a **critical** REST API flaw that could let attackers gain **Site Admin privileges** and cross tenan...

Open Happening

Cisco ThousandEyes and Nexus security patches

Security Patch Release
First: 21.05.2026 15:04 Last: 21.05.2026 15:04 Sources 1

About this happening: Cisco released patches for **three medium-severity vulnerabilities** affecting **ThousandEyes Virtual Appliance**, **ThousandEyes Enterprise Agent**, and **Nexus 3000/9000 switche...

Open Happening

CISA KEV remediation order for Cisco Catalyst SD-WAN Controller CVE-2026-20182

Public Sector Action
First: 15.05.2026 08:28 Last: 15.05.2026 08:28 Sources 1

About this happening: **CISA** added **CVE-2026-20182** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate **Cisco Catalyst SD-WAN Controller** by **May 17,...

Open Happening

Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)

Vulnerability
First: 14.05.2026 23:09 Last: 14.05.2026 23:09 Sources 1

About this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...

Latest development: 14.05.2026 23:25

Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.

Open Happening

Cisco security patch release for CVE-2026-20182

Security Patch Release
First: 14.05.2026 20:45 Last: 14.05.2026 20:45 Sources 1

About this happening: Cisco released **updates** for **CVE-2026-20182**, a **maximum-severity authentication bypass** in **Catalyst SD-WAN Controller/Manager**, after the flaw was **exploited in limite...

Open Happening

Timeline

  1. 05.03.2026 14:15 1 articles · 2mo ago

    Cisco publishes Catalyst SD-WAN patches for five flaws

    Mitigation Patch Update

    Cisco made patches available for five Catalyst SD-WAN flaws, including issues that could let an attacker access vulnerable systems and elevate privileges to root. The patched set included CVE-2026-20128 in the Data Collection Agent (DCA) feature of Catalyst SD-WAN Manager and CVE-2026-20122 in the manager API.

    Show sources
    Open in new tab
  2. 05.03.2026 14:15 2 articles · 2mo ago

    Cisco confirms active exploitation of two Catalyst SD-WAN vulnerabilities

    Campaign Scope Update

    Cisco updated its advisory to say it had become aware of active exploitation of CVE-2026-20128 in the Data Collection Agent (DCA) feature of Catalyst SD-WAN Manager and CVE-2026-20122 in the manager API. Cisco said the attacks appear to have been chained with other flaws, but it did not share attack details.

    Show sources
    Open in new tab