Cisco Catalyst SD-WAN vulnerabilities let attackers gain high privileges and, in some cases, root
3 min. read 
Published on
Cisco warned that multiple flaws in Cisco Catalyst SD-WAN Manager (formerly vManage) can let attackers bypass authentication, read sensitive data, overwrite files, and escalate privileges up to root depending on the bug and the attacker’s access level. The most severe issue, CVE-2026-20129, lets a remote unauthenticated attacker reach the API and gain netadmin privileges through improper authentication.
Cisco also said threat actors are already exploiting CVE-2026-20122 and CVE-2026-20128 in the wild. That raises the urgency for teams that run SD-WAN Manager on internet-reachable networks or on networks where low-privilege users can reach the appliance filesystem.
If you run Catalyst SD-WAN Manager, patching matters more than tuning detections. CIS also lists fixed trains and warns that older, end-of-life branches need upgrades or migration.
What is vulnerable
| CVE | Severity | What it enables | Access needed |
|---|---|---|---|
| CVE-2026-20129 | Critical (9.8) | Auth bypass to netadmin command execution | Unauthenticated, remote |
| CVE-2026-20133 | Medium to High (varies by score source) | Unauthenticated read of sensitive information via API | Unauthenticated, remote |
| CVE-2026-20122 | Medium (5.4) | Overwrite arbitrary files; gain vmanage privileges | Authenticated, remote (read-only API creds) |
| CVE-2026-20128 | High (7.5 CNA) | Read stored DCA password, pivot to DCA access on other systems | Authenticated, local with vmanage creds |
| CVE-2026-20126 | High (8.8 CNA) | Local privilege escalation to root via REST API | Authenticated, local low-privilege |
Why CVE-2026-20129 drives the “patch now” message
CVE-2026-20129 sits in the API authentication flow. NVD’s description says an unauthenticated attacker can send crafted API requests and gain access as a user with the netadmin role, then execute commands with that role’s privileges.
That makes exposed management interfaces a real risk, especially on devices that share management reachability with broader enterprise networks.
Active exploitation: what Cisco acknowledged publicly
Cisco said it became aware of active exploitation for CVE-2026-20122 and CVE-2026-20128. Cisco did not publish full exploit details in public summaries, which is common during active exploitation windows.
Fixed releases you should target
CIS lists these fixed trains for Catalyst SD-WAN Manager and notes that some branches are end-of-life:
- 20.9.x: update to 20.9.8.2
- 20.12.5.x: update to 20.12.5.3
- 20.12.6.x: update to 20.12.6.1
- 20.15.x: update to 20.15.4.2
- 20.18.x: update to 20.18.2.1
- 20.11, 20.13, 20.14, 20.16: EOL, plan a supported upgrade path
Recommended actions
- Patch SD-WAN Manager to the fixed train that matches your branch, or move off EOL releases.
- Restrict access to the SD-WAN Manager portal and API from untrusted networks, and put the system behind a firewall.
- Disable unused services like HTTP or FTP if your deployment does not require them.
- Hunt for signs of abuse:
- Unexpected API calls to SD-WAN Manager endpoints
- New privilege changes for vmanage or netadmin roles
- Low-privilege local access followed by lateral access attempts that match DCA pivot behavior
FAQ
CVE-2026-20129, because it lets an unauthenticated remote attacker gain netadmin privileges through the API.
Cisco said it saw active exploitation for CVE-2026-20122 and CVE-2026-20128.
Public reporting around the advisory says Cisco emphasized upgrading to fixed releases and tightening exposure of management access.
It can expose a stored DCA password on the filesystem and help attackers pivot into DCA access on other affected systems.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages