Cisco's SD-WAN software landscape continues to deteriorate. Just when Australian and international network administrators thought they had a patching roadmap,the company confirmed two more vulnerabilities are being actively exploited in the wild.
The two flaws paint a bleak picture of the company's centralised network management platform.CVE-2026-20122 carries a CVSS score of 7.1 and allows an authenticated remote attacker to overwrite arbitrary files on the local filesystem.CVE-2026-20128, rated 5.5, could allow an authenticated local attacker to gain Data Collection Agent (DCA) user privileges on an affected system.
The threat is genuine because Catalyst SD-WAN Manager sits at the heart of enterprise network operations.It provides centralised visibility and control over thousands of edge devices, meaning a single compromise cascades through an entire network footprint. Third-party researchers have documented the scale of real-world exploitation:threat actors have deployed web shells, with the largest spike in activity on 4 March, with attacks widely spread across various regions worldwide.
What makes this moment genuinely troubling is the context. This isn't an isolated incident but rather the continuation of a sustained assault that began before many organisations even knew they were under fire.A week earlier, Cisco confirmed a critical security flaw (CVE-2026-20127, CVSS score 10.0) has been exploited by a highly sophisticated cyber threat actor tracked as UAT-8616 to establish persistent footholds into high-value organisations.Attacks have been ongoing since at least 2023.
The response from governments underscores how seriously this is being taken.On 25-26 February 2026, CISA (US), the NCSC (UK), ASD's ACSC (Australia), CCCS (Canada) and NCSC-NZ issued a coordinated warning about the critical flaw.CISA issued a new emergency directive requiring federal agencies to inventory SD-WAN devices, apply updates, and assess potential compromise, with agencies ordered to provide a catalogue of all in-scope systems by 26 February and submit a detailed inventory by 5 March 2026.
For Australian organisations, the Australian Cyber Security Centre's involvement signals this isn't a vendor problem isolated to American networks. SD-WAN deployments span sectors from banking to critical infrastructure. The visibility that makes the platform valuable in normal times becomes a liability when an attacker controls the management plane.
The patch path forward presents real challenges.There are no workarounds that address these vulnerabilities, meaning upgrades are mandatory, not optional. For large organisations with thousands of devices, coordinating that upgrade cycle carries operational risk. Yet waiting poses greater danger; defenders must balance disruption against the window of opportunity attackers currently enjoy.
What emerges from this sequence of disclosures is a pattern that demands honest reckoning. Cisco's architecture concentrates power in a single management point, which is precisely what makes it attractive to sophisticated adversaries. The company faces a genuine product challenge, not merely a patching challenge. Reasonable security professionals can disagree about whether the convenience of centralised SD-WAN control justifies the concentration of risk it creates. But that disagreement is increasingly academic; organisations have deployed this infrastructure at scale, and now they must defend it or replace it.
The disclosure itself highlights another complexity.The threat actor chained the zero-day with a four-year-old privilege escalation vulnerability and used the device's own upgrade tool to erase evidence of compromise. Attackers don't wait for perfect exploits; they chain weaknesses across time. That means even organisations that patch the latest flaws must hunt for evidence of compromise stretching back years.
For now, the imperative is clear and narrow. Organisations running Catalyst SD-WAN need to treat this as a security emergency, not a routine maintenance window. The sophistication of known adversaries and the duration of undetected intrusions suggest that speed matters more than perfect orchestration.