By rssfeeds-admin 
These bugs let attackers skip authentication, grab root privileges, and run commands. The advisory, first posted February 25, now warns of real-world attacks on two flaws. No workarounds exist. Upgrade now to protect enterprise networks.
Vulnerability Details and Active Exploitation
Arthur Vidineyev from Cisco’s Advanced Security Initiatives Group (ASIG) found these issues during internal tests. They hit authentication, escalation, and disclosure controls.
The worst is CVE-2026-20129 (CVSS 9.8). Remote attackers without logins can hit flawed API calls to get netadmin rights. CVE-2026-20126 (CVSS 7.8) lets low-priv local users jump to full root on the OS via weak REST API checks.
Cisco’s March update flags active exploits of CVE-2026-20122 and CVE-2026-20128. CVE-2026-20122 (CVSS 7.1) allows logged-in attackers to overwrite files and seize vmanage access, risking data tampering. CVE-2026-20128 (CVSS 5.5) leaks DCA credentials.
Here’s the full CVE breakdown:
| CVE ID | CVSS Score | Severity | Description | CWE |
|---|---|---|---|---|
| CVE-2026-20129 | 9.8 | Critical | API Authentication Bypass (netadmin access) | CWE-287 |
| CVE-2026-20126 | 7.8 | High | Local Privilege Escalation (Root access) | CWE-257 |
| CVE-2026-20133 | 7.5 | High | Unauthenticated Remote Information Disclosure | CWE-200 |
| CVE-2026-20122 | 7.1 | High | Arbitrary File Overwrite (vmanage access) | N/A |
| CVE-2026-20128 | 5.5 | Medium | DCA Credential Information Disclosure | N/A |
Exploits target SD-WAN fabrics, exposing remote management to ransomware or data theft.
All Cisco Catalyst SD-WAN Manager versions before fixes are at risk, no matter the setup. Releases 20.18+ dodge CVE-2026-20129 and CVE-2026-20128.
Upgrade to: 20.9.8.2, 20.12.6.1, 20.15.4.2, or 20.18.2.1 based on your branch (Cisco PSIRT).
Key mitigations:
| Mitigation Category | Key Actions | Source |
|---|
| Mitigation Category | Key Actions | Source |
|---|---|---|
| Fixed Software Releases | Upgrade to 20.9.8.2, 20.12.6.1, 20.15.4.2, or 20.18.2.1 per branch. | Cisco PSIRT |
| Network Hardening | Limit to trusted hosts; put SD-WAN behind two-layer firewalls. | Cisco PSIRT |
| Service Configuration | Turn off HTTP for admin portal; disable FTP and unneeded services. | Cisco PSIRT |
| Monitoring | Send logs to an external server; watch for odd traffic or exploit signs. | Cisco PSIRT |
Block internet access to managers and monitor logs. Cisco urges quick patches to stop ongoing attacks.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Critical Cisco Catalyst SD-WAN Vulnerabilities Allow Attackers to Gain Root Access appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.