Cisco Patches 48 Firewall Flaws, Warns of Active SD-WAN Attacks
▼ Summary
– Cisco has confirmed that two patched vulnerabilities (CVE-2026-20128 and CVE-2026-20122) in its Catalyst SD-WAN Manager are now being actively exploited by attackers.
– CVE-2026-20128 allows a local attacker with valid credentials to gain elevated DCA user privileges by reading a password file from the system’s filesystem.
– CVE-2026-20122 is an API flaw that lets authenticated remote attackers overwrite arbitrary files and gain vmanage user privileges on the system.
– Separately, Cisco fixed 48 vulnerabilities in its Secure Firewall software, including two critical flaws (CVE-2026-20079 and CVE-2026-20131) that allow authentication bypass and remote code execution.
– The Dutch National Cyber Security Center warns that public proof-of-concept code for the firewall flaws is expected soon, urging immediate upgrades.
Cisco has issued a critical security update, urging customers to patch two vulnerabilities in its Catalyst SD-WAN Manager that are now under active attack. The company also released fixes for 48 additional flaws across its firewall products, including two maximum-severity issues. These developments highlight the pressing need for network administrators to apply updates promptly to protect their infrastructure.
The two exploited vulnerabilities, tracked as CVE-2026-20128 and CVE-2026-20122, were originally patched in late February. The first flaw exists within the Data Collection Agent feature. An attacker with valid vManage credentials on a system could exploit it by accessing the local filesystem. By reading a specific credential file, they could obtain the DCA user password, allowing them to access other systems with elevated DCA privileges.
The second vulnerability resides in the solution’s API. Authenticated remote attackers could leverage this bug to overwrite arbitrary files on a target system, ultimately gaining vManage user privileges. Cisco credited researcher Arthur Vidineyev with discovering these issues, along with three others addressed in the same advisory. While the company confirmed active exploitation, it did not link these attacks to a specific threat actor or provide further details on the campaigns.
This news follows a separate disclosure from last week concerning a “highly sophisticated” actor. That group exploited a different zero-day, CVE-2026-20127, to bypass authentication on Cisco Catalyst SD-WAN Controllers. After gaining access as a high-privileged user, the threat actor manipulated network configurations within the SD-WAN fabric.
In a separate but equally important advisory, Cisco addressed a substantial batch of 48 security flaws in its Secure Firewall ASA, Secure Firewall Management Center (FMC), and Secure Firewall Threat Defense (FTD) software. While most were rated medium severity, two stand out with the highest possible severity score.
The first critical flaw, CVE-2026-20079, is an authentication bypass in Cisco Secure Firewall Management Center Software. Attackers can trigger it by sending specially crafted HTTP requests to a vulnerable device. The second, CVE-2026-20131, is a remote code execution vulnerability in the same platform. Exploitation involves sending a malicious serialized Java object to the web-based management interface.
The Dutch National Cyber Security Center has warned that public proof-of-concept code for these firewall vulnerabilities is expected soon, likely leading to widespread exploitation attempts. The agency strongly recommends that system administrators prioritize upgrading to the patched software versions without delay. Cisco’s consistent message across all these advisories is clear: applying the provided fixes is the most effective way to mitigate these serious security risks.
(Source: HelpNet Security)
