Actively Exploited Critical Vulnerabilities in Cisco Secure Firewall and Catalyst SD-WAN Manager
Belgium’s CCB (Safeonweb) warned of multiple critical vulnerabilities across several Cisco products—specifically calling out Cisco Secure Firewall (including Adaptive Security Appliance (ASA), Firepower Management Center (FMC), and Firepower Threat Defense (FTD)) and Cisco Catalyst SD-WAN Manager—and stated that some vulnerabilities are being actively exploited, urging immediate patching. The advisory lists a broad set of weakness classes including authentication bypass (CWE-288/CWE-287), deserialization of untrusted data (CWE-502), buffer overflow (CWE-120), SQL injection (CWE-89), and sensitive information exposure (CWE-200), and highlights multiple CVEs including CVE-2026-20079 and CVE-2026-20131 with CVSS 10.0.
A separate advisory from the Center for Internet Security (CIS) also reported multiple vulnerabilities in Cisco products that could enable remote code execution, enumerating a large set of related CVEs (including CVE-2026-20001, CVE-2026-20002, CVE-2026-20003, and CVE-2026-20039). Taken together, the advisories indicate a high-risk patching priority for organizations running affected Cisco network/security management and firewall platforms, particularly where internet exposure or untrusted management-plane access could make exploitation more likely.
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Cisco Patches Critical Firewall Management RCE Vulnerabilities
Cisco released emergency fixes for two **critical (CVSS 10.0)** vulnerabilities in its firewall management software that could allow **remote, unauthenticated attackers** to execute code and gain **root-level** access to the underlying operating system. The issues are tracked as `CVE-2026-20079` and `CVE-2026-20131`, and reporting emphasized the risk profile given Cisco’s widespread deployment in large enterprises and the historical interest of sophisticated actors in rapidly weaponizing Cisco bugs. Available reporting stated there were **no confirmed in-the-wild exploitation** reports at the time of publication, but urged rapid patching due to the combination of unauthenticated reachability and full compromise potential. Separate coverage packaged the Cisco flaws alongside other weekly security items (e.g., Tycoon2FA infrastructure takedown and other incidents), but the Cisco item consistently described the same two maximum-severity firewall management vulnerabilities and their impact (RCE leading to root access).
1 weeks ago
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities
Cisco and U.S./U.K./Five Eyes cyber agencies warned of an ongoing campaign targeting **Cisco Catalyst SD-WAN** deployments, with exploitation confirmed dating back to at least 2023 and attributed by Cisco to a highly sophisticated actor tracked as **UAT-8616**. The activity has been described as posing an “unacceptable” risk to federal networks and broader global environments because compromise of SD-WAN/edge infrastructure can enable deep network access, traffic interception, and operational disruption. Cisco updated its advisories to state that **CVE-2026-20127** (critical auth bypass) has been exploited as a zero-day, enabling attackers to compromise SD-WAN controllers and add **rogue peers** that appear legitimate to facilitate further intrusion. Cisco also flagged additional *Catalyst SD-WAN Manager (vManage)* issues as actively exploited: **CVE-2026-20122** (high-severity arbitrary file overwrite requiring valid read-only/API credentials) and **CVE-2026-20128** (information disclosure requiring local access with valid vManage credentials). Agencies and Cisco urged urgent mitigation including inventorying affected devices, applying fixed releases/patches, retaining and reviewing logs, and hunting for indicators of compromise; CISA also issued **Emergency Directive `26-03`** for federal agencies.
1 weeks ago
Active exploitation of Cisco Catalyst SD-WAN authentication bypass (CVE-2026-20127)
Government and vendor advisories warned of **active, in-the-wild exploitation** of a critical **improper authentication / authentication bypass** vulnerability in **Cisco Catalyst SD-WAN** (tracked as `CVE-2026-20127`) affecting the **Catalyst SD-WAN Controller** (formerly *vSmart*) and related SD-WAN components. The flaw is in the **peering authentication process** and can allow an **unauthenticated remote attacker** to send crafted requests that result in access as an internal, high-privileged (non-root) administrative account, enabling actions such as **NETCONF access** and manipulation of SD-WAN fabric configuration; multiple national CERT/CSIRT bodies (including Canada’s Cyber Centre and France’s CERT-FR) urged immediate patching or migration off end-of-maintenance releases, noting some affected trains will not receive fixes. Cisco Talos attributed observed exploitation and post-compromise activity to a sophisticated actor tracked as **UAT-8616**, with evidence suggesting activity dating back to **2023**. Partner reporting and CISA guidance described a broader intrusion chain in which actors use `CVE-2026-20127` for initial access, then escalate privileges and persistence—reportedly including **software version downgrade** tactics and subsequent exploitation of `CVE-2022-20775`—leading to **root access** and long-term footholds in SD-WAN environments. CISA added both `CVE-2026-20127` and `CVE-2022-20775` to the **Known Exploited Vulnerabilities (KEV)** catalog and, via **Emergency Directive ED 26-03**, required U.S. FCEB agencies to inventory in-scope Cisco SD-WAN systems, collect forensic artifacts (e.g., snapshots/logs), patch, and assess for compromise; international partners echoed similar hunt-and-mitigate actions.
2 weeks ago