CISA Issues Emergency Deadline as Hackers Weaponize Cisco SD-WAN Flaws

Cyber intruders are already exploiting vulnerabilities within Cisco networking hardware, prompting United States authorities to grant federal agencies a mere few days to fortify their systems.

The Cybersecurity and Infrastructure Security Agency (CISA) has integrated three distinct flaws within the Cisco Catalyst SD-WAN Manager platform into its Known Exploited Vulnerabilities (KEV) catalog, mandating that these security apertures be remediated by April 23. This orchestration system governs corporate network architectures and is capable of overseeing upwards of 6,000 devices within a single cluster.

The inaugural vulnerability, CVE-2026-20128, pertains to a data exfiltration flaw within the information gathering component. An unauthenticated adversary can remotely usurp the privileges of a legitimate user within this specific module. The second, CVE-2026-20133, similarly empowers an unauthorized actor to scrutinize confidential telemetry on a susceptible device.

The most perilous of the triad, CVE-2026-20122, affords even broader exploitation capabilities. By leveraging even restricted access through the application programming interface (API), a malicious actor can upload nefarious files, overwrite local data, and assume the systemic privileges of the management interface.

Cisco remediated all three vulnerabilities in late February. By March, the company’s forensic specialists had already documented active incursions leveraging CVE-2026-20128 and CVE-2026-20122. While empirical evidence of the third vulnerability being exploited in the wild remains elusive, the manufacturer has maintained a veil of secrecy regarding the specifics of these assaults and the precise objectives of the perpetrators upon gaining access.