~/home/news/cisco-catalyst-sd-wan-flaws-2026-03-06
newsFriday, March 6, 20268 min read👁 9 views

Cisco Catalyst SD-WAN Flaws CVE-2026-20128 & CVE-2026-20122 Exploited in the Wild

Cisco reports active exploitation of two critical SD-WAN bugs-an info-disclosure (CVE-2026-20128) and an arbitrary file overwrite (CVE-2026-20122). Both are chained with CVE-2022-20775 to bypass auth, gain root, and persist, with threat actor UAT-8616 behind the campaign.

CiscoSD-WANVulnerabilityThreat Intelligence

Overview/Introduction

On March 5, 2026 Cisco updated its advisory to warn that two newly patched vulnerabilities in the Catalyst SD-WAN suite are already being weaponised in the wild. The flaws-CVE-2026-20128 and CVE-2026-20122-are classified as critical and affect the Catalyst SD-WAN Manager and its Data Collection Agent (DCA). What makes the situation especially alarming is that threat actors are chaining these bugs with the older CVE-2022-20775, a known authentication-bypass flaw, to achieve full system compromise and long-term persistence.

Security researchers at Cisco Talos have linked the activity to the sophisticated, China-linked group designated UAT-8616, which has been active since at least 2023 and is known for targeted attacks against high-value networking infrastructure.

Technical Details

The two CVEs differ in their attack surface but complement each other when combined with CVE-2022-20775:

  • CVE-2026-20128 - Information Disclosure
    • Affects the Data Collection Agent component of Catalyst SD-WAN Manager.
    • Requires a locally-authenticated user (typically a low-privilege DCA account).
    • Exploits improper access controls to read privileged configuration files and internal state, effectively granting the attacker the same privileges as a DCA user.
    • Impact: Enables reconnaissance, credential harvesting, and preparation for further privilege escalation.
  • CVE-2026-20122 - Arbitrary File Overwrite
    • Affects the REST API used by Catalyst SD-WAN Manager for configuration and orchestration.
    • Authenticated remote attacker can supply a crafted path in the fileUpload endpoint, causing the manager to overwrite any file the process can write to (including system binaries and startup scripts).
    • Overwritten files can be used to inject a web-shell, replace sudoers entries, or plant persistent backdoors.
    • Impact: Direct path to root-level code execution.
  • CVE-2022-20775 - Authentication Bypass
    • An older privilege-escalation flaw that permits unauthenticated attackers to bypass login checks on the SD-WAN Manager UI and API.
    • When chained, the bypass removes the need for any valid credentials before exploiting CVE-2026-20128 or CVE-2026-20122.

In practice, the attack chain observed by Talos follows this pattern:

1. Exploit CVE-2022-20775 → gain unauthenticated access to the Manager API.
2. Use CVE-2026-20128 to elevate to DCA user, harvest config & credentials.
3. Leverage CVE-2026-20122 to overwrite /etc/rc.d/init.d/sdwan or the Manager's Python modules.
4. Plant a persistent reverse shell / cron job → full root control.

All three vulnerabilities are exploitable over the network, require no zero-day exploits, and can be automated with publicly available scripts.

Impact Analysis

The affected products are core components of many enterprise SD-WAN deployments:

  • Catalyst SD-WAN Manager - central orchestration point for policy, routing, and security across branch sites.
  • Data Collection Agent (DCA) - lightweight agent installed on edge routers and virtual appliances to report telemetry.

Organizations that rely on these components for connectivity, WAN optimisation, and zero-trust segmentation are at risk of:

  • Complete loss of network control - an attacker can rewrite routing policies, redirect traffic, or shut down links.
  • Credential theft - harvested admin or service-account credentials can be reused against other Cisco or third-party services.
  • Persistence - overwritten init scripts survive reboots, making remediation difficult.
  • Data exfiltration - compromised WAN links can be used to siphon sensitive traffic without detection.

Given the critical classification, the potential impact ranges from operational disruption to full-scale data breach, especially for sectors with stringent compliance requirements (finance, healthcare, government).

Timeline of Events

  • Feb 25, 2026 - Cisco releases patches for five Catalyst SD-WAN vulnerabilities, including CVE-2026-20128 and CVE-2026-20122.
  • Mar 5, 2026 - Cisco advisory update confirms active exploitation of the two newly-patched flaws.
  • Mar 6, 2026 - SecurityWeek publishes analysis confirming exploitation and linking activity to UAT-8616.
  • Mar 7-10, 2026 - Multiple unnamed enterprises report anomalous SD-WAN behaviour (unexpected routing changes, unknown processes on manager VM).
  • Mar 12, 2026 - Cisco Talos releases detailed IoCs (IP ranges, YARA rules) for the UAT-8616 campaign.

Mitigation/Recommendations

Immediate steps for organisations running Cisco Catalyst SD-WAN:

  1. Apply the February 2026 patches on both the Manager and all DCA instances. Verify patch installation with show version and checksum validation.
  2. Restrict API access to trusted management subnets. Use firewall ACLs and Cisco Identity Services Engine (ISE) to enforce MFA for any API call.
  3. Audit DCA accounts. Disable any default or unused DCA users and enforce strong, unique passwords or certificate-based authentication.
  4. Monitor file integrity. Deploy FIM (File Integrity Monitoring) on the Manager VM to alert on changes to /etc/rc.d, /opt/cisco/sdwan, and Python module directories.
  5. Network segmentation. Place the Manager on a dedicated management VLAN isolated from data-plane traffic. Use east-west micro-segmentation to limit lateral movement.
  6. Conduct a credential rotation. After patching, rotate all admin, service-account, and DCA passwords/certificates.
  7. Leverage Cisco SecureX or equivalent SIEM to ingest the IoCs published by Talos (malicious IPs, user-agent strings, file hashes).
  8. Develop an incident-response playbook specific to SD-WAN compromise - include steps for isolating the Manager, forensic snapshotting, and restoring from known-good backups.

For organisations that cannot patch immediately, consider temporary mitigations such as disabling the DCA feature, blocking the vulnerable API endpoint (/fileUpload), and enforcing read-only access for unauthenticated users.

Real-World Impact

When a SD-WAN Manager is compromised, the attacker gains a strategic foothold spanning an entire corporate WAN. Real-world consequences observed in early March include:

  • Branch office routers rerouted to malicious DNS servers, facilitating credential harvesting.
  • Encrypted traffic intercepted via injected TLS-termination proxies, breaching data-in-transit confidentiality.
  • Denial-of-service on critical business applications after the attacker altered QoS policies.
  • Compliance violations, as regulated data (PCI-DSS, HIPAA) traversed untrusted paths.

Because the attack chain can be automated, even modestly resourced adversaries can target dozens of organisations simultaneously, turning a single vulnerability into a supply-chain level threat.

Expert Opinion

From a strategic standpoint, the rapid weaponisation of CVE-2026-20128 and CVE-2026-20122 underscores a shifting attacker focus from traditional data-center firewalls to the increasingly programmable edge of the network. SD-WAN platforms, by design, centralise control and expose rich APIs - a high-value attack surface.

UAT-8616’s choice to chain an old authentication bypass with newly-released bugs demonstrates two important trends:

  1. Legacy vulnerability reuse: Attackers maintain libraries of “old but gold” exploits. When a fresh zero-day appears, they quickly combine it with known weaknesses to accelerate compromise.
  2. Supply-chain amplification: Compromising a single SD-WAN manager can affect thousands of downstream sites, magnifying the impact far beyond the initial target.

Enterprises should therefore treat SD-WAN as a critical security domain, not just a networking convenience. Continuous patch management, strict API hardening, and real-time telemetry are no longer optional - they are mandatory controls to prevent a repeat of the 2026 Cisco incidents.

Finally, the public disclosure of active exploitation ahead of patch adoption is a reminder that “zero-day” is a moving target. Security teams must adopt a “patch-first, monitor-second” mindset and integrate threat-intelligence feeds (like Talos) into their daily operations to stay ahead of sophisticated actors such as UAT-8616.