America’s lead cyber-defense agency has warned that three Cisco Catalyst SD-WAN Manager bugs are under attack, and given federal agencies just four days to patch the security holes.
The US Cybersecurity and Infrastructure Security Agency (CISA) added all three to its Known Exploited Vulnerabilities Catalog on Monday, joining at least two other Cisco SD-WAN CVEs on the list, and set a Thursday deadline for federal agencies to fix.
Cisco’s Catalyst SD-WAN Manager platform, formerly known as vManage, sits at the center of many organizations’ SD-WAN deployments and can manage up to 6,000 edge devices in a cluster.
The first flaw, CVE-2026-20128, is an information disclosure vulnerability in the data collection agent (DCA) feature of Cisco Catalyst SD-WAN Manager that allows unauthenticated, remote attackers to gain DCA user privileges on an affected system.
CVE-2026-20133 is another information disclosure bug that allows unauthenticated, remote attackers to view sensitive information on affected systems.
And finally, CVE-2026-20122 is an arbitrary file overwrite flaw that could let an authenticated remote attacker with valid read-only API credentials upload a malicious file, overwrite arbitrary local files, and gain vManage user privileges.
Cisco patched all three CVEs in late February, and in March warned of attackers abusing two of the three. “In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only.”
At press time, the networking vendor’s advisory still doesn’t list CVE-2026-20133 as being under active exploitation. Cisco didn’t immediately respond to The Register‘s questions, including the scope of attacks and what miscreants are doing with this illicit access. ®