Cisco Catalyst SD-WAN Manager Flaws Expose XSS and Multiple Vulnerabilities
dCERT issued advisories for Cisco Catalyst SD-WAN Manager and the SD-WAN Controller, warning of multiple security flaws affecting core SD-WAN management components. One advisory covers several vulnerabilities across the management platform and controller, indicating broader exposure in systems used to administer and orchestrate enterprise SD-WAN environments.
A separate dCERT advisory identifies a cross-site scripting (XSS) vulnerability in Cisco Catalyst SD-WAN Manager, highlighting the risk that attackers could inject malicious script into the web-based management interface. Together, the notices point to security weaknesses in Cisco SD-WAN administrative infrastructure that could affect the confidentiality and integrity of management sessions and require prompt review and remediation by defenders.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
dCERT publishes advisory on Cisco SD-WAN Manager XSS flaw
dCERT issued Advisory 2026-0854 for a cross-site scripting vulnerability affecting Cisco Catalyst SD-WAN Manager. The reference indicates the advisory was published on 2026-03-26.
dCERT publishes advisory on multiple Cisco SD-WAN vulnerabilities
dCERT issued Advisory 2026-0508 covering multiple vulnerabilities affecting Cisco Catalyst SD-WAN Manager and SD-WAN Controller. The reference indicates the advisory was published on 2026-02-25.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco Discloses XSS in Catalyst SD-WAN Manager and SSRF in Nexus Dashboard
Cisco published security advisories for two enterprise management platforms: a cross-site scripting (**XSS**) flaw in **Cisco Catalyst SD-WAN Manager** and a server-side request forgery (**SSRF**) flaw affecting **Cisco Nexus Dashboard** and **Cisco Nexus Dashboard Insights**. The issues affect products used to centrally manage networking infrastructure, raising the risk that attackers could target administrative interfaces and backend request handling in high-value environments. The advisories identify separate web-application security weaknesses in Cisco's network management stack, with one issue tied to malicious script execution in the SD-WAN management interface and the other to unauthorized server-side requests from Nexus Dashboard components. Organizations using these platforms should review Cisco's product advisories, determine affected deployments, and prioritize remediation or mitigations for exposed management systems.
Apr 1, 2026
Active Exploitation of Cisco Catalyst SD-WAN Manager Vulnerabilities by UAT-8616
**CISA** ordered U.S. federal civilian agencies to urgently remediate a **critical Cisco Catalyst SD-WAN Manager compromise** tied to **CVE-2026-20127**, a `CVSS 10.0` authentication bypass flaw that allows attackers to obtain high-privilege access without valid credentials. Reporting indicates the activity was uncovered by **CISA** and **Cisco Talos**, which attributed exploitation to **UAT-8616** and assessed that the intrusions date back to 2023. Attackers reportedly maintained persistence by downgrading devices to older vulnerable software and then using the access to reach `NETCONF` and manipulate SD-WAN fabric configuration, creating significant risk for federal networks and other exposed deployments. Additional research shows the campaign is not limited to a single bug. Cisco disclosed in-the-wild exploitation of **CVE-2026-20127** together with **CVE-2022-20775**, an older SD-WAN CLI flaw enabling post-auth privilege escalation and root command execution, while external analysis warned that public proof-of-concept material around `CVE-2026-20127` has been misattributed and may produce incomplete detections. Researchers also highlighted broader exposure across internet-facing SD-WAN Manager instances and warned that **CVE-2026-20133** may present underappreciated risk and could already be seeing exploitation, underscoring that defenders should treat the Cisco SD-WAN issue as an active intrusion and hardening priority rather than a routine patch cycle.
Mar 21, 2026
Cisco SD-WAN Authentication Bypass Exploited for Admin Access and Persistence
Cisco disclosed and patched **CVE-2026-20182**, a critical `CVSS 10.0` authentication bypass flaw in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager** that has been exploited in the wild. The bug affects the `vdaemon` control-plane service over **DTLS/UDP 12346** and allows an unauthenticated attacker to impersonate a trusted peer, gain high-privilege administrative access, reach **NETCONF** on `TCP/830`, and manipulate SD-WAN fabric configuration. Rapid7 said the flaw stems from missing authentication checks when a peer claims to be a vHub device, enabling attackers to inject SSH keys for the `vmanage-admin` account and establish persistent access; Cisco said there are **no workarounds** and released fixed software versions for affected on-premises, cloud, managed-cloud, and FedRAMP deployments. Cisco Talos attributed the most sophisticated exploitation of `CVE-2026-20182` with high confidence to **UAT-8616**, which was observed adding SSH keys, modifying NETCONF settings, and escalating privileges to root, with infrastructure overlap noted with Operational Relay Box networks. Talos also reported broader ongoing attacks against SD-WAN environments, including widespread exploitation of previously disclosed **CVE-2026-20133**, **CVE-2026-20128**, and **CVE-2026-20122** after public proof-of-concept release, leading to deployment of JSP webshells such as **XenShell**, **Godzilla**, and **Behinder**, along with tools including Sliver, AdaptixC2, XMRig, gsocket, and credential-stealing scripts. **CISA added CVE-2026-20182 to the KEV catalog** and ordered federal agencies to remediate quickly, while Cisco and national cyber agencies urged organizations to preserve forensic evidence, review logs for unauthorized peering and `vmanage-admin` public-key logins, and patch all vulnerable control components immediately.
Jun 8, 2026