Cisco just expanded the list of actively exploited Catalyst SD-WAN vulnerabilities — and if you haven’t patched yet, you’re running out of time. On March 5, 2026, Cisco updated its advisory to confirm that CVE-2026-20128 and CVE-2026-20122 are now being exploited in the wild, bringing the total number of actively exploited SD-WAN flaws to three in just eight days. Combined with the critical CVE-2026-20127 zero-day disclosed on February 25, this represents a sustained campaign against SD-WAN infrastructure that every network engineer needs to take seriously.
Key Takeaway: Three Cisco Catalyst SD-WAN vulnerabilities are now confirmed exploited in the wild, with attackers chaining flaws to achieve full root access. Patch to fixed releases immediately — there are zero workarounds.
What Happened? The Timeline of Cisco SD-WAN Exploitation
The situation has escalated rapidly:
- February 25, 2026: Cisco releases patches for five Catalyst SD-WAN Manager vulnerabilities in a single advisory (cisco-sa-sdwan-authbp-qwCX8D4v). Simultaneously discloses that CVE-2026-20127 (CVSS 10.0) is already being actively exploited as a zero-day.
- February 25, 2026: CISA issues Emergency Directive ED 26-03 ordering federal agencies to patch immediately.
- March 5, 2026: Cisco updates the advisory — CVE-2026-20128 and CVE-2026-20122 are now also confirmed exploited in the wild.
This isn’t a theoretical risk. According to Cisco Talos, the threat actor UAT-8616 has been exploiting SD-WAN infrastructure since at least 2023, chaining multiple vulnerabilities to bypass authentication, escalate privileges, and establish persistence.
All Five Cisco Catalyst SD-WAN Vulnerabilities Explained
Here’s the complete breakdown of every CVE in the advisory, ranked by severity:
| CVE | Severity | CVSS | Description | Exploited? |
|---|---|---|---|---|
| CVE-2026-20129 | Critical | 9.8 | API authentication bypass → netadmin access | Not yet confirmed |
| CVE-2026-20126 | High | 7.8 | REST API privilege escalation → root | Not yet confirmed |
| CVE-2026-20133 | High | 7.5 | Information disclosure via filesystem access | Not yet confirmed |
| CVE-2026-20122 | High | 7.1 | Arbitrary file overwrite via API → vmanage privileges | Yes — Active |
| CVE-2026-20128 | Medium | 5.5 | DCA credential exposure → lateral movement | Yes — Active |
Notice something interesting: the two flaws confirmed as exploited aren’t the highest-severity ones. CVE-2026-20128 is only rated Medium (5.5), and CVE-2026-20122 is High (7.1). But in the real world, severity scores don’t tell the full story — attackers chain vulnerabilities, and a medium-severity credential leak becomes devastating when it enables lateral movement to other SD-WAN nodes.
How the Attack Chain Works
Based on reporting from Cisco Talos, SecurityWeek, and CISA, here’s what the attack chain looks like:
The CVE-2026-20127 Chain (Confirmed Since 2023)
1. Identify internet-exposed SD-WAN Manager/Controller
2. Exploit CVE-2026-20127 (auth bypass, CVSS 10.0)
→ Gain admin access via crafted API requests
3. Chain with CVE-2022-20775 (older CLI privilege escalation)
→ Escalate from admin to root
4. Modify system scripts for persistence
5. Monitor and manipulate SD-WAN fabric traffic
The Newer Exploitation Chain (March 2026)
1. Exploit CVE-2026-20128 (DCA credential exposure)
→ Read DCA password from local filesystem
2. Use DCA credentials to access other SD-WAN Manager nodes
3. Exploit CVE-2026-20122 (arbitrary file overwrite)
→ Upload malicious files, gain vmanage user privileges
4. Potentially chain with CVE-2026-20126 (privesc to root)
The takeaway: attackers aren’t exploiting single flaws. They’re building kill chains that combine credential harvesting, lateral movement, file manipulation, and privilege escalation. This is exactly why patching all five CVEs matters — not just the critical one.
Who Is UAT-8616?
Cisco Talos tracks the threat actor behind the CVE-2026-20127 exploitation as UAT-8616. Key details:
- Active since at least 2023 — this zero-day was exploited for approximately three years before disclosure
- Highly sophisticated — assessed with high confidence by Talos
- Targets SD-WAN control planes — specifically internet-exposed vManage and vSmart instances
- Persistence-focused — modifies system scripts, downgrades software to re-introduce vulnerabilities
- Reported by Australian Signals Directorate (ACSC) — suggesting international targeting
According to Dark Reading, UAT-8616 exploited the zero-day to gain initial access, then downgraded compromised devices’ software to exploit additional known vulnerabilities — a technique that underscores the importance of software integrity monitoring.
It’s still unclear whether the March 5 exploitation of CVE-2026-20128 and CVE-2026-20122 is attributed to the same actor or represents a different campaign leveraging newly disclosed vulnerabilities.
What You Need to Do Right Now
Step 1: Identify Your Exposure
Check your Catalyst SD-WAN Manager version:
vmanage# show version
Any version before the fixed releases is vulnerable. Releases 20.18+ are not affected by CVE-2026-20128 and CVE-2026-20129, but are still affected by the other three flaws.
Step 2: Patch to Fixed Releases
| Current Release | Upgrade To |
|---|---|
| Earlier than 20.9 | Migrate to a supported, fixed release |
| 20.9.x | 20.9.8.2 |
| 20.12.5 / 20.12.6 | 20.12.5.3 or 20.12.6.1 |
| 20.13 / 20.14 / 20.15 | 20.15.4.2 |
| 20.16 / 20.18 | 20.18.2.1 |
Use the Cisco Catalyst SD-WAN Upgrade Matrix to plan your upgrade path.
Step 3: Harden While You Patch
Cisco’s own hardening recommendations (from the advisory):
- Block internet access to SD-WAN Manager and Controller — if they must be internet-facing, restrict to known, trusted IPs
- Disable HTTP for the vManage web UI — use HTTPS only
- Deploy behind a firewall with filtered access to control plane ports
- Send logs to an external SIEM — attackers in these campaigns modified system scripts, making local logs unreliable
- Change default admin passwords and create role-based user accounts
- Monitor for software downgrades — UAT-8616 was observed downgrading device software to re-introduce patched vulnerabilities
Step 4: Check for Compromise
If your SD-WAN Manager was internet-exposed at any point, assume potential compromise and:
- Audit API access logs for unusual authentication patterns
- Check for unexpected user accounts or privilege changes
- Verify system script integrity against known-good baselines
- Look for unauthorized configuration changes in the SD-WAN fabric
- Review DCA feature logs for credential access patterns
Why This Matters Beyond the Patch: SD-WAN Is Now a Prime Target
This isn’t an isolated event. SD-WAN control planes have become a high-value target for sophisticated threat actors, and the trend is accelerating:
- Google’s GTIG reported 90 zero-day vulnerabilities exploited in 2025, with half targeting enterprise infrastructure — SD-WAN fits squarely in this trend
- CISA’s Emergency Directive ED 26-03 specifically targets Cisco SD-WAN, signaling federal-level concern about infrastructure compromise
- The same Feb 25 patch cycle also addressed 48 vulnerabilities across Cisco ASA, FMC, and FTD products — Cisco’s security product line is under sustained pressure
The control plane is the crown jewel. An attacker who compromises vManage or vSmart doesn’t just own one device — they can manipulate routing policy, traffic steering, and security policies across the entire SD-WAN fabric. That’s why these exploits are so dangerous and why nation-state actors invest years developing them.
The CCIE Security Angle: What This Teaches About Control Plane Security
For engineers preparing for the CCIE Security v6.1 lab, these real-world attacks illustrate critical concepts:
Authentication mechanism security — CVE-2026-20127 and CVE-2026-20129 both exploit flawed authentication in API and peering mechanisms. The CCIE lab tests your understanding of how authentication should work and how to detect when it’s broken.
Vulnerability chaining — Attackers don’t use single exploits. They chain low-severity credential leaks (CVE-2026-20128) with file manipulation (CVE-2026-20122) and privilege escalation. The lab expects you to think in attack chains, not individual vulnerabilities.
Control plane hardening — Restricting management access, disabling unnecessary services, implementing RBAC — these are both real-world necessities and lab exam expectations.
SD-WAN architecture security — Understanding the relationship between vManage, vSmart, vBond, and vEdge components is essential for both securing production networks and answering CCIE blueprint questions.
If you’re studying for CCIE Security, use this incident as a case study. Map each CVE to the control it should have prevented. That’s the kind of deep thinking that separates CCIE candidates from everyone else.
For more on the original zero-day and its implications, see our detailed breakdown: Cisco SD-WAN Zero-Day CVE-2026-20127: What CCIE Candidates Need to Know.
Frequently Asked Questions
Which Cisco SD-WAN vulnerabilities are being actively exploited in March 2026?
As of March 5, 2026, Cisco confirms three SD-WAN CVEs are actively exploited: CVE-2026-20127 (CVSS 10.0, authentication bypass zero-day), CVE-2026-20128 (CVSS 5.5, DCA credential exposure), and CVE-2026-20122 (CVSS 7.1, arbitrary file overwrite). Attackers are chaining these flaws to achieve full system compromise.
What is the UAT-8616 threat actor targeting Cisco SD-WAN?
UAT-8616 is a highly sophisticated threat actor tracked by Cisco Talos that has been exploiting Cisco SD-WAN infrastructure since at least 2023. They chain multiple vulnerabilities to bypass authentication, escalate to root, and establish persistent access to SD-WAN control planes. The Australian Signals Directorate originally reported their activity.
How do I patch Cisco Catalyst SD-WAN Manager for these vulnerabilities?
Upgrade to fixed releases: 20.9.8.2, 20.12.5.3 or 20.12.6.1, 20.15.4.2, or 20.18.2.1 depending on your current version. Releases 20.18 and later are not affected by CVE-2026-20128 and CVE-2026-20129. There are no workarounds — patching is the only complete fix.
Are there workarounds for these Cisco SD-WAN vulnerabilities?
No. Cisco explicitly states there are no workarounds that address any of the five vulnerabilities. The only mitigation is upgrading to a fixed software release. You can reduce exposure by restricting network access to the SD-WAN Manager and Controller while planning your upgrade.
Is Cisco SD-WAN covered on the CCIE Security lab exam?
SD-WAN security concepts are increasingly relevant to the CCIE Security v6.1 blueprint, especially around control plane security, authentication mechanisms, and vulnerability management. Understanding real-world attack chains like these directly strengthens both operational skills and exam readiness.
The SD-WAN threat landscape is evolving fast. If you’re a network engineer responsible for Cisco SD-WAN infrastructure, patch today — not next maintenance window.
Ready to fast-track your CCIE journey? Contact us on Telegram @phil66xx for a free assessment.