Cisco warns of critical vulnerabilities in its SD-WAN and firewall software, several of which are being actively exploited.
Cisco has identified and patched five CVEs in Catalyst, an SD-WAN management software. The vulnerabilities make it possible to bypass authentication, escalate privileges within the network, and subsequently leak information or overwrite files. Customers are urged to update the software to the latest supported versions.
In a statement, Cisco describes the five vulnerabilities. CVE-2026-20128 and CVE-2026-20122 deserve extra attention because, according to Cisco, they are already being actively exploited. These involve vulnerabilities that allow for information disclosure or arbitrary file overwriting. No signs of exploitation have been found for CVE-2026-20129, CVE-2026-20126, and CVE-2026-20133, but Cisco is disclosing them now as a precaution. CVE-2026-20129 even received a near-maximum CVSS score of 9.8.
As with any known vulnerability, patching quickly is the best remedy. In this case, it is even the only remedy, Cisco emphasizes. The network manufacturer has since rolled out a patch and requests that customers update to one of the versions below as soon as possible:
| Cisco Catalyst SD-WAN Manager Release | First Fixed Release |
| Earlier than 20.91 | Migrate to a fixed release. |
| 20.9 | 20.9.8.2 |
| 20.111 | 20.12.6.1 |
| 20.12 | 20.12.5.3 20.12.6.1 |
| 20.131 | 20.15.4.2 |
| 20.141 | 20.15.4.2 |
| 20.15 | 20.15.4.2 |
| 20.161 | 20.18.2.1 |
| 20.18 | 20.18.2.1 |
Source: Cisco
Leaky firewalls
Cisco’s security team has had to work overtime in recent days. Last week, Cisco reported another vulnerability in Catalyst SD-WAN Controller (CVE-2026-20127) that had been open since 2023. The vulnerability makes it possible to log into the platform without authentication and tamper with network configurations. The same patch protects you against all of these security flaws.
Cisco also had to seal up its firewall software, Secure Firewall Management Center, after two actively exploited vulnerabilities were discovered. Here again, it involved a vulnerability that bypasses authentication and grants root access (CVE-2026-20079), resulting in the risk of malicious code execution (CVE-2026-20131).