Your SD-WAN management plane is facing a secondary wave of active exploitation. π
CVE-2026-20128 Β· Severity 10.0 Β· Active exploitation of Cisco Catalyst SD-WAN Manager.
In the last 24 hours, @[Cisco](urn:li:organization:1063) has escalated warnings as threat actors move from the initial zero-day to secondary flaws. CVE-2026-20128 and CVE-2026-20122 are now confirmed as under active attack. These allow authenticated remote actors to overwrite arbitrary system files and escalate privileges to root.
While the initial CVSS 10.0 bypass has been the focus, these secondary flaws allow attackers who have gained a foothold to achieve permanent persistence across your entire network fabric. @[CISA](urn:li:organization:13010360) has mandated an immediate inventory and forensic audit to detect indicators of compromise that may have been present since late 2023.
The uncomfortable truth: Patching the gateway is only half the battle when an adversary has already established lateral persistence inside your management plane.
β Apply the March 2026 maintenance updates for Cisco Catalyst SD-WAN Manager today.
β Rotate all administrative credentials and API keys used for network orchestration.
β Audit your controller for unauthorized peer relationships or anomalous version downgrades.
Have you conducted a forensic review of your SD-WAN management logs for unauthorized file modifications? π
#Cybersecurity #NetworkSecurity #ZeroTrust #PatchManagement #CISO #CodeDefence