"In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only," the vendor said.
CISA's four-day directive to federal agencies
America's lead cyber-defense agency, the US Cybersecurity and Infrastructure Security Agency (CISA), has moved three recently patched Cisco Catalyst SD-WAN Manager flaws onto its Known Exploited Vulnerabilities (KEV) Catalog and given federal agencies a four-day window to install fixes. CISA added all three CVEs to the catalog on Monday and set a Thursday deadline for federal agencies to remediate the issues.
Cisco Catalyst SD-WAN Manager's central role
Cisco's Catalyst SD-WAN Manager platform, formerly known as vManage, is at the center of many organizations' SD-WAN deployments. Cisco notes the platform can manage up to 6,000 edge devices in a cluster — a configuration detail that underscores why flaws in the product can have broad operational impact for customers that rely on centralized management.
CVE-2026-20128: DCA information disclosure enabling DCA user privileges
The first of the three KEV listings, CVE-2026-20128, is described as an information disclosure vulnerability in the data collection agent (DCA) feature of Cisco Catalyst SD-WAN Manager. According to the advisory material cited by The Register, the flaw allows unauthenticated, remote attackers to gain DCA user privileges on an affected system.
CVE-2026-20122: Arbitrary file overwrite via read-only API credentials
CVE-2026-20122 is characterized as an arbitrary file overwrite vulnerability. The source states this weakness could let an authenticated remote attacker with valid read-only API credentials upload a malicious file, overwrite arbitrary local files, and gain vManage user privileges. Cisco has said it became aware of active exploitation of this vulnerability in March 2026.
CVE-2026-20133: Information disclosure not listed as actively exploited
The third CVE added to the KEV list, CVE-2026-20133, is another information disclosure vulnerability that allows unauthenticated, remote attackers to view sensitive information on affected systems. At press time, Cisco's advisory did not list CVE-2026-20133 as being under active exploitation, distinguishing it from the other two that Cisco identified as observed in the wild.
Patch history and unanswered questions from Cisco
Cisco patched all three CVEs in late February and in March warned that attackers were abusing two of the three. The vendor's statement — quoted at the top of this article — limited confirmed active exploitation to CVE-2026-20128 and CVE-2026-20122. The Register reported that Cisco did not immediately respond to questions about the scope of the attacks or what miscreants are doing with illicit access.
How the KEV addition changes risk management
Adding a vulnerability to CISA's KEV Catalog signals that the agency believes the flaw is already being exploited in real-world incidents; in practical terms, it shortened the timeline for federal agencies to patch to four days. The Register notes the KEV additions join at least two other Cisco SD-WAN CVEs already on the list, meaning agencies and organizations that use Cisco's SD-WAN management tooling are facing multiple, overlapping remediation obligations.
The public record in the source material is straightforward: three Cisco Catalyst SD-WAN Manager flaws were patched in late February, two of those were confirmed by Cisco PSIRT as being actively exploited in March, and CISA has now required federal agencies to patch the trio within days. Cisco's advisory does not list CVE-2026-20133 as under active exploitation, and Cisco did not provide further details to The Register about attackers' objectives or the scope of intrusions.
Those facts leave a pointed, practical question: with centralized management consoles that can control thousands of edge devices, what are defenders across federal and private networks doing in the narrow window CISA has provided to ensure those consoles are not the vector that expands a breach?
