More Cisco SD-WAN bugs battered in attacks
(2026/04/21)
- Reference: 1776792650
- News link: https://www.theregister.co.uk/2026/04/21/cisco_sdwan_bugs_kev/
- Source link:
America's lead cyber-defense agency has warned that three Cisco Catalyst SD-WAN Manager bugs are under attack, and given federal agencies just four days to patch the security holes.
The US Cybersecurity and Infrastructure Security Agency (CISA) [1]added all three to its [2]Known Exploited Vulnerabilities Catalog on Monday, joining at least two other Cisco SD-WAN CVEs on the list, and set a Thursday deadline for federal agencies to fix.
Cisco's Catalyst SD-WAN Manager platform, formerly known as vManage, sits at the center of many organizations' SD-WAN deployments and can manage up to 6,000 edge devices in a cluster.
[3]
The first flaw, [4]CVE-2026-20128 , is an information disclosure vulnerability in the data collection agent (DCA) feature of Cisco Catalyst SD-WAN Manager that allows unauthenticated, remote attackers to gain DCA user privileges on an affected system.
[5]
[6]CVE-2026-20133 is another information disclosure bug that allows unauthenticated, remote attackers to view sensitive information on affected systems.
And finally, [7]CVE-2026-20122 is an arbitrary file overwrite flaw that could let an authenticated remote attacker with valid read-only API credentials upload a malicious file, overwrite arbitrary local files, and gain vManage user privileges.
[8]Cisco warns of two more SD-WAN bugs under active attack
[9]Five Eyes warn: Patch your Cisco SD-WAN or risk root takeover
[10]Microsoft releases Windows Server update fix to fix its April update fixes
[11]Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus
[12]Cisco patched all three CVEs in late February, and in March [13]warned of attackers abusing two of the three. "In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only."
At press time, the networking vendor's advisory still doesn't list CVE-2026-20133 as being under active exploitation. Cisco didn't immediately respond to The Register 's questions, including the scope of attacks and what miscreants are doing with this illicit access. ®
Get our [14]Tech Resources
[1] https://www.cisa.gov/news-events/alerts/2026/04/20/cisa-adds-eight-known-exploited-vulnerabilities-catalog
[2] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aefzgtYQDB8BJnXfZ0gcWgAAAVc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.cve.org/CVERecord?id=CVE-2026-20128
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aefzgtYQDB8BJnXfZ0gcWgAAAVc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.cve.org/CVERecord?id=CVE-2026-20133
[7] https://www.cve.org/CVERecord?id=CVE-2026-20122
[8] https://www.theregister.com/2026/03/06/cisco_sdwan_bugs/
[9] https://www.theregister.com/2026/02/26/five_eyes_cisco_sdwan/
[10] https://www.theregister.com/2026/04/20/microsoft_releases_a_windows_server_update_fix/
[11] https://www.theregister.com/2026/04/20/lovable_denies_data_leak/
[12] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v#
[13] https://www.theregister.com/2026/03/06/cisco_sdwan_bugs/
[14] https://whitepapers.theregister.com/
The US Cybersecurity and Infrastructure Security Agency (CISA) [1]added all three to its [2]Known Exploited Vulnerabilities Catalog on Monday, joining at least two other Cisco SD-WAN CVEs on the list, and set a Thursday deadline for federal agencies to fix.
Cisco's Catalyst SD-WAN Manager platform, formerly known as vManage, sits at the center of many organizations' SD-WAN deployments and can manage up to 6,000 edge devices in a cluster.
[3]
The first flaw, [4]CVE-2026-20128 , is an information disclosure vulnerability in the data collection agent (DCA) feature of Cisco Catalyst SD-WAN Manager that allows unauthenticated, remote attackers to gain DCA user privileges on an affected system.
[5]
[6]CVE-2026-20133 is another information disclosure bug that allows unauthenticated, remote attackers to view sensitive information on affected systems.
And finally, [7]CVE-2026-20122 is an arbitrary file overwrite flaw that could let an authenticated remote attacker with valid read-only API credentials upload a malicious file, overwrite arbitrary local files, and gain vManage user privileges.
[8]Cisco warns of two more SD-WAN bugs under active attack
[9]Five Eyes warn: Patch your Cisco SD-WAN or risk root takeover
[10]Microsoft releases Windows Server update fix to fix its April update fixes
[11]Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus
[12]Cisco patched all three CVEs in late February, and in March [13]warned of attackers abusing two of the three. "In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only."
At press time, the networking vendor's advisory still doesn't list CVE-2026-20133 as being under active exploitation. Cisco didn't immediately respond to The Register 's questions, including the scope of attacks and what miscreants are doing with this illicit access. ®
Get our [14]Tech Resources
[1] https://www.cisa.gov/news-events/alerts/2026/04/20/cisa-adds-eight-known-exploited-vulnerabilities-catalog
[2] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aefzgtYQDB8BJnXfZ0gcWgAAAVc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.cve.org/CVERecord?id=CVE-2026-20128
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aefzgtYQDB8BJnXfZ0gcWgAAAVc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.cve.org/CVERecord?id=CVE-2026-20133
[7] https://www.cve.org/CVERecord?id=CVE-2026-20122
[8] https://www.theregister.com/2026/03/06/cisco_sdwan_bugs/
[9] https://www.theregister.com/2026/02/26/five_eyes_cisco_sdwan/
[10] https://www.theregister.com/2026/04/20/microsoft_releases_a_windows_server_update_fix/
[11] https://www.theregister.com/2026/04/20/lovable_denies_data_leak/
[12] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v#
[13] https://www.theregister.com/2026/03/06/cisco_sdwan_bugs/
[14] https://whitepapers.theregister.com/