Two critical vulnerabilities in the management plane of modern software-defined networking infrastructure are being actively exploited in the wild. These flaws allow unauthenticated attackers to bypass security controls or harvest administrative credentials, providing a direct path to compromise the entire corporate network fabric.
CVE-2026-20122 involves the incorrect use of privileged APIs in @[Cisco](urn:li:organization:1063) Catalyst SD-WAN Manager, allowing unauthenticated remote attackers to perform actions with administrative privileges. CVE-2026-20128 relates to the storage of passwords in a recoverable format, which can lead to the total compromise of management accounts. @[CISA](urn:li:organization:13010360) added these to the KEV catalog on April 20, citing evidence of targeted attacks against industrial and government networks.
The management plane of an SD-WAN environment is the “brain” of the network; its compromise allows an attacker to redefine the routing, security, and access rules for every branch office and data center in the organization. The use of privileged APIs as an attack vector is a common failure point in modern, API-driven infrastructure management tools.
– Update @[Cisco](urn:li:organization:1063) Catalyst SD-WAN Manager to the latest security version (e.g., 20.12.x or 20.9.x releases) immediately.
– Perform a mandatory password reset for all administrative accounts following the application of the patch to neutralize recoverable credentials.
– Strictly isolate the SD-WAN management interface behind a Zero Trust gateway and restrict access to authorized IP ranges only.
– Audit management logs for anomalous API calls or unauthorized configuration changes dating back to March 2026.
SD-WAN management platforms require the same level of architectural isolation as core identity providers to prevent total network-layer takeover. #CodeDefence #Cisco #SDWAN #CISA
/
