Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager (CVE-2026-20133, CVE-2026-20122, CVE-2026-20128) are being actively exploited as a chained attack, enabling unauthenticated attackers to progress from information disclosure to full administrative control of the SD-WAN management plane.
Given that a single SD-WAN Manager instance can control thousands of devices, this represents a high-impact risk to enterprise and government networks. The inclusion of these vulnerabilities in CISA’s Known Exploited Vulnerabilities catalogue, along with an emergency remediation directive, highlights the urgency of patching and securing exposed systems immediately.
The vulnerabilities are designed to function as a chained attack sequence, where each stage enables the next. The first stage uses CVE-2026-20133, an unauthenticated information disclosure flaw, to extract sensitive system data including internal IP addresses, credentials, and configuration details from SD-WAN Manager APIs.
The second stage leverages CVE-2026-20122, which allows misuse of privileged APIs to upload malicious files to the system. This provides attackers with an initial foothold within the management platform.
The third stage exploits CVE-2026-20128, which exposes stored DCA user credentials in a recoverable format. Attackers can extract these credentials and escalate privileges to gain full administrative access.
Once full control is achieved, attackers can manipulate network configurations, reroute traffic, deploy malicious payloads, and control all connected SD-WAN devices from a centralized interface. The details and technicalities of the attack campaign are discussed further,
Exploitation Demonstration:
The three vulnerabilities are chained in a structured attack sequence. CISA and security researchers, including SC Media and IT Nerd Blog, have confirmed the chain is being actively exploited. The exploitation sequence is as follows,
Ease of Exploitation:
The exploitation is considered highly feasible due to the availability of chained vulnerabilities, active exploitation in the wild, and the presence of internet-exposed SD-WAN Manager instances.
No initial authentication is required for the first stage, significantly lowering the barrier to entry. Once inside, attackers can leverage built-in functionality and exposed credentials to escalate privileges with minimal complexity. The centralized nature of SD-WAN management amplifies the impact of a single successful compromise.
Conclusion:
This campaign highlights the critical risk associated with vulnerabilities in network management platforms. The ability to chain multiple flaws into a full management plane takeover demonstrates how attackers can move from initial access to complete control with minimal resistance.
Organizations must treat this as an immediate priority by applying patches, restricting access, and conducting thorough compromise assessments. Failure to act can result in widespread network compromise and operational disruption.
A successful attack enables full administrative control over SD-WAN infrastructure, allowing attackers to intercept and reroute traffic, deploy malware across multiple devices, and maintain persistent access.
This can lead to large-scale operational disruption, data exfiltration, and potential ransomware deployment across the entire network fabric. Recovery from such an incident may require rebuilding configurations and performing comprehensive security audits.
