Listen to this Post
Introduction: A Renewed Warning for Network Infrastructure Security
Enterprise networks across the world rely heavily on software-defined wide area networking (SD-WAN) technologies to manage connectivity, traffic routing, and secure communications between distributed locations. When vulnerabilities emerge in such infrastructure, the consequences can extend far beyond a single device or network segment. Recently, Cisco issued an urgent warning after discovering that threat actors are actively exploiting two previously patched vulnerabilities in its Catalyst SD-WAN platform. The security flaws, identified as CVE-2026-20128 and CVE-2026-20122, allow attackers to gain access to sensitive systems, escalate privileges to root level, and manipulate critical files. Cisco’s advisory highlights the growing sophistication of threat actors targeting networking infrastructure and emphasizes the need for organizations to rapidly deploy security updates to prevent potential breaches.
Cisco Security Advisory Reveals Active Exploitation in the Wild
Cisco confirmed that attackers are actively exploiting two vulnerabilities affecting the Cisco Catalyst SD-WAN Manager, previously known as SD-WAN vManage. These flaws can allow malicious actors to access compromised systems, escalate privileges, retrieve sensitive data, and overwrite arbitrary files within the system environment.
The company originally released patches on February 25 to address five vulnerabilities impacting the Catalyst SD-WAN platform. These issues ranged from high severity to critical security flaws capable of providing attackers with deep system access. However, on March 5 Cisco updated its advisory after detecting real-world exploitation attempts targeting two of the vulnerabilities: CVE-2026-20128 and CVE-2026-20122.
The first vulnerability, CVE-2026-20128, affects the Data Collection Agent feature within the platform. This flaw allows a locally authenticated attacker to gain Data Collection Agent privileges, potentially granting deeper access to system operations. Although the attack requires valid credentials, the resulting privileges may provide attackers with significant control over the network management system.
The second vulnerability, CVE-2026-20122, presents an even broader risk. It allows a remote authenticated attacker to exploit the SD-WAN Manager API to overwrite arbitrary files. By manipulating these files, an attacker could escalate privileges within the system, potentially gaining root-level access and compromising the integrity of the network infrastructure.
Cisco’s Product Security Incident Response Team (PSIRT) confirmed that exploitation of these vulnerabilities was detected in March 2026. The company emphasized that while other vulnerabilities listed in the advisory have not been observed in active attacks, the two exploited flaws pose an immediate threat. Organizations operating vulnerable systems are strongly advised to upgrade to the latest patched software releases to mitigate the risk.
Despite confirming active exploitation, Cisco has not released detailed technical information regarding the attacks or the specific threat actors responsible. This limited disclosure is common during active vulnerability exploitation to prevent additional attackers from weaponizing the vulnerabilities.
Additional Critical Vulnerability Raises Further Concerns
Alongside the two actively exploited vulnerabilities, Cisco previously disclosed another critical flaw affecting the Catalyst SD-WAN platform, tracked as CVE-2026-20127. This vulnerability carries the maximum severity rating with a CVSS score of 10.0 and has reportedly been exploited since 2023.
The flaw affects both the Catalyst SD-WAN Controller and Manager components. It allows remote unauthenticated attackers to bypass authentication mechanisms by sending specially crafted requests to vulnerable systems. Once successful, attackers can gain administrative-level access without needing legitimate credentials.
The root cause of the vulnerability lies in a malfunction within the peering authentication mechanism used by affected systems. By exploiting this weakness, attackers can log into a Cisco Catalyst SD-WAN Controller using a high-privileged internal user account. Although the account does not initially grant root privileges, it provides access to the NETCONF interface, which enables attackers to manipulate the configuration of the entire SD-WAN fabric.
Such control over network configuration could allow attackers to redirect traffic, disrupt services, deploy persistent backdoors, or intercept sensitive communications across enterprise networks.
The vulnerability impacts all Cisco Catalyst SD-WAN deployments regardless of their configuration, significantly increasing the potential attack surface. Cisco credited the Australian Signals Directorate’s Australian Cyber Security Centre for responsibly reporting the issue, highlighting the role of international cyber defense collaboration in identifying critical infrastructure vulnerabilities.
Sophisticated Threat Actor Activity Identified by Cisco Talos
Cisco’s internal threat intelligence team, Cisco Talos, has been tracking the exploitation campaign under the designation UAT-8616. According to investigators, the threat actor behind this activity demonstrates a high level of sophistication and has likely been operating since at least 2023.
During their investigation, analysts discovered evidence suggesting the attackers used a complex exploitation strategy involving software downgrades. By temporarily downgrading system versions, the attackers could exploit older vulnerabilities, including CVE-2022-20775, to escalate privileges to root access.
After successfully gaining elevated privileges, the attackers reportedly restored the original software versions. This tactic allowed them to maintain stealthy root-level access while minimizing detection, making the compromise extremely difficult to identify through standard security monitoring.
This campaign highlights a growing trend in cyberattacks targeting network edge devices. Unlike traditional endpoint attacks, compromising network infrastructure allows attackers to gain persistent and strategic access to high-value targets such as government institutions, telecommunications providers, and critical infrastructure operators.
Cisco has released patched versions of Catalyst SD-WAN to address the vulnerabilities. Fixed software releases include versions 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1. Organizations running versions earlier than 20.9.1 are strongly advised to migrate to a secure release as soon as possible.
The advisory underscores the importance of maintaining up-to-date network infrastructure and implementing proactive security monitoring to detect potential intrusion attempts targeting core networking systems.
What Undercode Say:
Network Infrastructure Is Becoming the Primary Battlefield
The exploitation of Cisco Catalyst SD-WAN vulnerabilities illustrates a broader shift in cyber warfare. Attackers are no longer focusing solely on endpoints such as laptops or servers. Instead, they increasingly target the networking backbone that connects entire organizations.
Compromising an SD-WAN controller is strategically powerful. It acts as the central brain of distributed networks, managing routing policies, security rules, and connectivity between branches, data centers, and cloud environments. Once attackers gain control of such a system, they effectively control the digital highways through which data travels.
Privilege Escalation Remains the Ultimate Objective
Both CVE-2026-20128 and CVE-2026-20122 ultimately lead toward the same goal: root-level access. Root privileges represent complete control over the operating system and network configuration. With this level of access, attackers can disable logging, modify system files, deploy malware, or maintain hidden persistence mechanisms for years.
The Talos investigation revealing the downgrade technique demonstrates a highly strategic attacker mindset. Instead of relying on a single exploit, attackers chain multiple vulnerabilities together. Downgrading software to exploit an older vulnerability and then restoring the system version shows a deep understanding of enterprise patching practices.
This method is particularly dangerous because most organizations assume patched systems are safe. If attackers can temporarily revert versions internally, they bypass this assumption entirely.
Edge Devices Are Increasingly Attractive Targets
Network edge devices such as routers, firewalls, and SD-WAN controllers have become highly attractive to sophisticated threat actors. These devices often run continuously, receive fewer security audits, and operate outside traditional endpoint security monitoring systems.
Once compromised, they provide persistent access to entire network ecosystems. Traffic inspection, data exfiltration, lateral movement, and surveillance all become possible without triggering typical endpoint alarms.
Stealth and Persistence Define Modern Attacks
The three-year activity window suggested by Cisco Talos reveals another critical insight: advanced attackers prioritize stealth over speed. Rather than launching immediate disruptive attacks, they often maintain long-term access to gather intelligence, map infrastructure, and prepare future operations.
The downgrade-restore tactic also indicates that attackers are aware of incident response patterns. By restoring the original software version, they reduce forensic evidence and make the compromise appear like a normal configuration environment.
Patch Management Alone Is No Longer Enough
While Cisco strongly recommends upgrading software versions, patching alone cannot fully mitigate modern threats. Organizations must also implement behavioral monitoring, network anomaly detection, and configuration integrity checks.
Security teams should monitor for unusual API interactions, unauthorized file modifications, and unexpected privilege escalation attempts within network management platforms.
Additionally, strict access control policies for SD-WAN management interfaces can significantly reduce the risk of exploitation, especially for vulnerabilities requiring authenticated access.
The Bigger Strategic Risk
If attackers gain persistent control of enterprise SD-WAN infrastructure, the implications extend beyond data breaches. Such access could enable espionage, supply chain manipulation, or targeted disruption of critical services.
Because SD-WAN technologies are widely deployed in government networks, financial institutions, telecommunications providers, and healthcare systems, these vulnerabilities represent a potential gateway into global digital infrastructure.
Fact Checker Results
✅ Cisco confirmed active exploitation of vulnerabilities CVE-2026-20128 and CVE-2026-20122 in March 2026.
✅ Cisco Talos identified the sophisticated threat actor cluster UAT-8616 linked to the campaign.
❌ No confirmed attribution to a specific nation-state or cybercriminal group has been publicly disclosed.
Prediction
The targeting of SD-WAN platforms suggests a broader escalation in attacks against network infrastructure rather than endpoints. Over the next few years, threat actors will increasingly exploit edge devices and network controllers to gain persistent access to enterprise environments.
Cybersecurity strategies will likely shift toward deeper monitoring of network infrastructure itself, with vendors introducing enhanced telemetry, AI-driven anomaly detection, and zero-trust architectures to defend against infrastructure-level compromises.
▶️ Related Video (82% Match):
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.discord.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
