Cisco Catalyst SD-WAN active exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
Cisco confirmed active exploitation of two recently patched Catalyst SD-WAN vulnerabilities, creating immediate risk for exposed systems that have not been fully remediated. The affected flaws are CVE-2026-20128 and CVE-2026-20122. Cisco said the attacks appear to involve chaining with other flaws, which can increase the chance of privilege escalation and deeper system compromise. The company also said it is unclear whether the exploits are part of the same campaign or separate operations.
Cases
Related Happenings
Cisco Catalyst SD-WAN unauthorized peering and SSH access campaign
Campaign
H score38
First: 25.06.2026 17:15
Last: 25.06.2026 17:15
Sources 1
About this happening:
An active **campaign** used **unauthorized peering connections** and **SSH access** to maintain footholds inside a **service provider's Cisco Catalyst SD-WAN** environment, increa...
Cisco Catalyst SD-WAN unauthorized peering and SSH access campaign
CampaignAbout this happening: An active **campaign** used **unauthorized peering connections** and **SSH access** to maintain footholds inside a **service provider's Cisco Catalyst SD-WAN** environment, increa...
CISA adds CVE-2026-20262 to KEV and orders federal fixes
Public Sector Action
H score32
First: 16.06.2026 09:05
Last: 16.06.2026 09:05
Sources 1
About this happening:
**CISA** added **CVE-2026-20262** to its **Known Exploited Vulnerabilities (KEV) catalog** and required **Federal Civilian Executive Branch (FCEB)** agencies to apply Cisco's fixe...
CISA adds CVE-2026-20262 to KEV and orders federal fixes
Public Sector ActionAbout this happening: **CISA** added **CVE-2026-20262** to its **Known Exploited Vulnerabilities (KEV) catalog** and required **Federal Civilian Executive Branch (FCEB)** agencies to apply Cisco's fixe...
Cisco Catalyst SD-WAN Manager actively exploited file upload overwrite flaw (CVE-2026-20262)
Vulnerability
H score24
First: 15.06.2026 20:12
Last: 15.06.2026 20:12
Sources 1
About this happening:
**Cisco Catalyst SD-WAN Manager** was patched for **CVE-2026-20262** after attackers used it to **create or overwrite files** and **escalate to root** across **all deployment type...
Cisco Catalyst SD-WAN Manager actively exploited file upload overwrite flaw (CVE-2026-20262)
VulnerabilityAbout this happening: **Cisco Catalyst SD-WAN Manager** was patched for **CVE-2026-20262** after attackers used it to **create or overwrite files** and **escalate to root** across **all deployment type...
Cisco security patch release for CVE-2026-20262
Security Patch Release
H score47
First: 15.06.2026 20:12
Last: 15.06.2026 20:12
Sources 1
About this happening:
**Cisco** released **security updates** for **CVE-2026-20262** in **Catalyst SD-WAN Manager**, covering multiple release trains after the zero-day was exploited to reach **root pr...
Cisco security patch release for CVE-2026-20262
Security Patch ReleaseAbout this happening: **Cisco** released **security updates** for **CVE-2026-20262** in **Catalyst SD-WAN Manager**, covering multiple release trains after the zero-day was exploited to reach **root pr...
Cisco Catalyst SD-WAN Manager root privilege escalation flaw (CVE-2026-20245)
Vulnerability
H score60
First: 05.06.2026 09:24
Last: 05.06.2026 09:24
Sources 1
About this happening:
**CVE-2026-20245** in **Cisco Catalyst SD-WAN Manager** is an **actively exploited** **high-severity** vulnerability that can let an **authenticated local attacker** with **netadm...
Cisco Catalyst SD-WAN Manager root privilege escalation flaw (CVE-2026-20245)
VulnerabilityAbout this happening: **CVE-2026-20245** in **Cisco Catalyst SD-WAN Manager** is an **actively exploited** **high-severity** vulnerability that can let an **authenticated local attacker** with **netadm...
Latest development: 06.06.2026 07:19
Cisco warned that CVE-2026-20245 in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, is under active exploitation and can let an authenticated local attacker with netadmin privileges upload a crafted file to execute arbitrary commands as root. Cisco said the flaw affects On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP), that limited exploitation has already resulted in configuration changes pushed to edge devices, and that no patches or mitigations are currently available. Cisco also advised checking /var/log/scripts.log for indicators of compromise and credited Google Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan with discovering and reporting the issue.
Timeline
-
05.03.2026 14:15 1 articles · 4mo ago
Cisco publishes Catalyst SD-WAN patches for five flaws
Mitigation Patch UpdateCisco made patches available for five Catalyst SD-WAN flaws, including issues that could let an attacker access vulnerable systems and elevate privileges to root. The patched set included CVE-2026-20128 in the Data Collection Agent (DCA) feature of Catalyst SD-WAN Manager and CVE-2026-20122 in the manager API.
Show sources
- Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild — www.securityweek.com — 05.03.2026 14:15
-
05.03.2026 14:15 2 articles · 4mo ago
Cisco confirms active exploitation of two Catalyst SD-WAN vulnerabilities
Campaign Scope UpdateCisco updated its advisory to say it had become aware of active exploitation of CVE-2026-20128 in the Data Collection Agent (DCA) feature of Catalyst SD-WAN Manager and CVE-2026-20122 in the manager API. Cisco said the attacks appear to have been chained with other flaws, but it did not share attack details.
Show sources
- Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild — www.securityweek.com — 05.03.2026 14:15
- Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities — thehackernews.com — 05.03.2026 17:22