Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild

Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild

Briefly

"CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature of Catalyst SD-WAN Manager, allowing an authenticated, local attacker to gain DCA user privileges on the targeted system. CVE-2026-20122 is an arbitrary file overwrite bug affecting the API of the Catalyst SD-WAN Manager. It allows a remote, authenticated attacker to overwrite arbitrary files on the system and gain elevated privileges."

"CISA and other cybersecurity agencies reported that CVE-2026-20127 has been chained with an older Catalyst vulnerability, CVE-2022-20775, to bypass authentication, escalate privileges, and establish persistence on the targeted system. Cisco Talos linked those attacks to UAT-8616, a highly sophisticated threat actor that has been active since at least 2023."

"Cisco has not shared any details on the attacks exploiting these vulnerabilities, but its description indicates they have been chained with other flaws. The company's announcement comes roughly a week after it warned customers that a critical zero-day vulnerability affecting Catalyst SD-WAN has been exploited in the wild."