Cisco, SD-WAN, Vulnerability, Active Exploitation, CISA KEV, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133
Source Material: CISA KEV | Technology: Cisco Catalyst SD-WAN Manager | Targeted Industries: Agnostic / Broadly Targeted
Executive Summary
On April 20, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog to include three critical flaws affecting Cisco Catalyst SD-WAN Manager. Identified as CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133, these vulnerabilities encompass improper privileged API usage, insecure credential storage, and unauthorized data exposure. Due to known active exploitation of these vulnerabilities, immediate patching is necessary to protect SD-WAN environments from unauthorized access and administrative control.
Threat Overview and Strategic Impact
These security flaws introduce severe operational risks, potentially allowing adversaries to seize complete administrative control over enterprise SD-WAN fabrics.
- CVE-2026-20128 (CVSS 7.5): This vulnerability, residing within the Data Collection Agent (DCA) feature, allows remote, unauthenticated attackers to retrieve a sensitive credential file (.dca) via a malicious HTTP request. Extracting this file grants the attacker DCA user privileges, paving the way for lateral movement across the network.
- CVE-2026-20122 (CVSS 7.1): This defect permits a remote actor with basic, read-only API credentials to arbitrarily overwrite local system files. By uploading engineered payloads, an attacker can elevate their system access to full vManage user privileges.
- CVE-2026-20133 (CVSS 7.5): Due to inadequate local file system protections, unauthenticated actors can query the SD-WAN Manager API to extract highly sensitive internal data.
Exploitation of these vulnerabilities results in a complete compromise of network routing configurations, enabling threat actors to manipulate traffic, intercept communications, or pivot deeper into protected corporate environments.
Security Hardening and Recommendations
Cisco advises that no temporary mitigations or workarounds exist to mitigate these vulnerabilities. Remediation relies entirely on upgrading the software infrastructure.
- Deploy Patches: Immediately update to a secure software iteration. Cisco has identified the first fixed releases as versions 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1, depending on your current deployment branch.
- Restrict Access: Confine all API and web UI interactions strictly to trusted administrative IP ranges and hardened management VLANs.
- Enforce Shielding: Ensure Cisco Catalyst SD-WAN Control Components operate securely behind properly configured firewalls to block anomalous external traffic.
- Disable Insecure & Non-Essential Services: Turn off HTTP access for the administrative portal and strictly enforce encrypted protocols (SSL/TLS) for management interactions. Additionally, disable any non-essential network services on the management plane to further reduce the available attack surface.
- Audit Service Accounts: Urgently audit all read-only and administrative API accounts. Organizations should disable API access for any service accounts that do not strictly require it to limit potential vectors for authenticated API abuse.
Detection Strategy
Security operations personnel should actively audit proxy and web access logs on the SD-WAN Manager for suspicious patterns. Monitoring should focus on the /var/log/nms/containers/service-proxy/serviceproxy-access.log and /var/log/nms/vmanage-server.log files, specifically looking for unauthorized or anomalous interactions with the API endpoints associated with these vulnerabilities.
How Deepwatch Protects Our Customers
Our threat detection engineers continuously review incoming intelligence in order to refine and deploy updated detection logic. The security operations center actively evaluates alerts for privilege escalation, unusual file modifications, and unexpected API telemetry to rapidly isolate and contain threats within customer environments.
Threat Hunting Leads
Security analysts can hunt for indicators of attempted exploitation by querying network logs for the following behaviors:
- Unusual GET requests aimed at the DCA configuration path: /reports/data/opt/data/containers/config/data-collection-agent/.dca
- Anomalous POST activity communicating with the smart licensing upload module: /dataservice/smartLicensing/uploadAck
- Unauthorized POST queries reaching undocumented script paths, such as /cmd.gz/cmd.jsp
- Entries within vmanage-server.log documenting the generation or staging of suspicious deployment packages, such as cmd.gz.war.
Note: Analysts and threat hunters must correlate the source IP addresses of these events against known administrative jump boxes to accurately separate hostile reconnaissance from routine maintenance.
Technical Artifacts
Targeted File Path: /reports/data/opt/data/containers/config/data-collection-agent/.dca
Targeted Directory: /opt/data/app-server/software/package/license/ack/
Threat Object Mapping
Intrusion Set:
- This activity is not attributed to a specific intrusion set at this time.
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique ID | Technique Name | Description |
| Initial Access | T1190 | Exploit Public-Facing Application | Adversaries target exposed Cisco Catalyst SD-WAN Manager APIs to breach the perimeter boundary. |
| Credential Access | T1552.001 | Credentials In Files | Malicious actors exploit CVE-2026-20128 to download the .dca file and extract cleartext or recoverable passwords. |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | By manipulating CVE-2026-20122, attackers overwrite specific system files to elevate their access level to vmanage privileges. |
| Persistence | T1505.003 | Web Shell | Attackers deploy archives containing files like cmd.jsp to establish a persistent remote administration backdoor. |
Vulnerabilities:
- CVE-2026-20122
- CVE-2026-20128
- CVE-2026-20133
Malware/Tool:
- This activity is not associated with a specific malware family or tool at this time.
Additional Sources
- Cisco Security Advisory: cisco-sa-sdwan-authbp-qwCX8D4v
- NVD Entry for CVE-2026-20122
- NVD Entry for CVE-2026-20128
- NVD Entry for CVE-2026-20133
Share