Cisco’s Catalyst SD-WAN Manager, previously known as SD-WAN vManage, is facing serious security challenges following the disclosure and active exploitation of two newly identified vulnerabilities. This development presents significant risks to networks running this technology, and administrators are being pressed to act without delay to protect their infrastructure.
These Vulnerabilities Are Already Being Exploited in the Wild
Cisco confirmed that both vulnerabilities are not just theoretical risks — they have already been observed under active exploitation. Leading the list is CVE-2026-20122, an arbitrary file overwrite vulnerability that carries a CVSS score of 7.1. This flaw could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system of an affected device. The ability to manipulate critical system files in this way opens the door to destabilizing network configurations, disabling security controls, or laying the groundwork for deeper intrusion into the affected environment.
The fact that exploitation requires authentication does not reduce the severity of the threat. Attackers who have already obtained valid credentials — through phishing, credential stuffing, or other means — can leverage this vulnerability to cause serious damage across the network infrastructure.
The Risk Extends Across Wide-Scale Network Environments
Because Cisco’s Catalyst SD-WAN Manager serves as a centralized management platform for SD-WAN deployments, any compromise of this system carries wide-reaching consequences. Organizations relying on SD-WAN technology to manage branch connectivity, cloud access, and network segmentation are particularly exposed. A successful exploitation attempt targeting this platform could impact dozens or even hundreds of connected network nodes simultaneously, making rapid remediation all the more important.
The active exploitation of these vulnerabilities signals that threat actors are already aware of and actively targeting these weaknesses. Security teams should treat this disclosure as an urgent call to action rather than a routine patch cycle item.
What Administrators Should Do Right Now
Organizations running Cisco Catalyst SD-WAN Manager should take the following steps without delay.
- Apply all available patches and software updates from Cisco immediately across all affected infrastructure.
- Review authentication logs and access records for any signs of unauthorized or suspicious activity.
- Deploy enhanced monitoring and logging to detect unusual file system changes or abnormal traffic patterns.
- Enforce strict access controls and limit authentication privileges to reduce the potential blast radius of a successful exploitation attempt.
- Conduct a thorough audit of all connected SD-WAN nodes to identify any signs of compromise that may have already occurred.
Routine patching alone is not sufficient given the active exploitation status of these vulnerabilities. Administrators should also verify that their incident response plans are current and that security teams are positioned to respond quickly if evidence of compromise is identified.
The Broader Implications for Network Security
The disclosure of actively exploited vulnerabilities in a widely deployed platform like Cisco’s Catalyst SD-WAN Manager reflects the persistent and growing challenges organizations face when securing complex, centralized network management systems. These platforms are high-value targets precisely because compromising them can yield disproportionate access to broader network environments.
Cisco’s transparency in publicly disclosing these vulnerabilities and confirming active exploitation demonstrates a responsible approach to coordinated vulnerability disclosure. However, the burden now falls on the organizations running these systems to act swiftly. Staying current with security advisories from Cisco and other major technology providers is no longer optional — it is a fundamental component of any credible network security strategy. As threat actors continue to identify and exploit weaknesses in critical infrastructure software, proactive and well-resourced security operations remain the most reliable line of defense.
