Network Decapitation: Cisco Warns of Active SD-WAN Zero-Day Exploits and Chained Attacks

Cisco has issued a stark admonition regarding sustained cyber offensives wherein malicious actors are actively exploiting vulnerabilities within the Catalyst SD-WAN Manager network governance matrix. The corporation implores network administrators to expeditiously deploy software remediations to all susceptible appliances.

The Catalyst SD-WAN Manager, formerly recognized under the moniker vManage, functions as the paramount nexus for network administration. This sophisticated architecture empowers operators to orchestrate and surveil upwards of 6,000 Catalyst SD-WAN appliances via a singular, unified command console.

The vanguard at Cisco disclosed that in March 2026, they chronicled the kinetic weaponization of twin vulnerabilities: specifically, CVE-2026-20122 and CVE-2026-20128. This augmented forewarning serves as an addendum to the corporation’s initial advisory promulgated on the 25th of February.

According to Cisco’s telemetry, assailants are presently leveraging exclusively these two aforementioned flaws; conversely, auxiliary security anomalies detailed within the same dossier have thus far exhibited no forensic evidence of exploitation. The enterprise vehemently counsels the installation of revitalized software iterations engineered to unequivocally seal these unearthed breaches.

The primordial vulnerability, CVE-2026-20122, commands a high severity designation. This aberration permits the illicit overwriting of arbitrary files. Orchestrating this assault necessitates remote access coupled with credentialed privileges granting read-only capabilities and API interaction. The secondary affliction—CVE-2026-20128—is classified as a moderate peril, resulting in the unauthorized disclosure of administrative telemetry. Its exploitation strictly requires localized access and a legitimate, active vManage profile. Cisco emphatically underscores that these vulnerabilities afflict the Catalyst SD-WAN Manager entirely irrespective of the appliances’ underlying configurations.

Historically, the corporation had already chronicled incursions besieging the SD-WAN infrastructure. In the twilight of February, Cisco conceded the active exploitation of yet another flaw: CVE-2026-20127. This authentication bypass vulnerability empowered malefactors to usurp network controllers and surreptitiously inject counterfeit nodes directly into the architectural fabric. These insidious rogue devices flawlessly masquerade as legitimate network constituents, seamlessly facilitating the assailants’ lateral progression deeper into the sanctum of the infrastructure. According to Cisco’s intelligence, such sophisticated operations have been underway since at least 2023.

Intelligence concerning these offensives has been corroborated and disseminated by state apparatuses across the United States and the United Kingdom. The Cybersecurity and Infrastructure Security Agency (CISA) promulgated Emergency Directive 26-03, mandating American federal agencies to rigorously inventory their Cisco SD-WAN architectures, harvest forensic telemetry, deploy requisite remediations, and exhaustively audit their infrastructure for any hallmarks of compromise.

Furthermore, Cisco recently deployed critical remediations for a pair of grievous vulnerabilities festering within the Secure Firewall Management Center. These specific flaws—CVE-2026-20079 and CVE-2026-20131—bestow upon an unauthenticated, remote adversary the terrifying capability to either seize omnipotent root privileges over the operating system or execute arbitrary Java payloads upon unpatched appliances.