Security News Security teams might be overlooking wider threat to Cisco SD-WAN

[Divergent]

Content source

https://www.cybersecuritydive.com/news/security-teams-wider-threat-cisco-sd-wan/814934/

Researchers from VulnCheck warn that a misattributed proof of concept ignores a separate, high-severity flaw.

As a wave of exploitation attempts target Cisco Software Defined Wide-Area Networking Systems, security teams might be overlooking a separate, important threat to the application, according to a report released Friday from vulnerability research firm VulnCheck.

Researchers warned that a closely watched zero-day flaw in Cisco SD-WAN, tracked as CVE-2026-20127, might not be the only major target of exploitation attempts. VulnCheck researchers said the more immediate threat could be a high-severity flaw tracked as CVE-2026-20133, which is linked to insufficient file system access restrictions.

https://www.cybersecuritydive.com/news/security-teams-wider-threat-cisco-sd-wan/814934/

 

[Divergent]

Executive Summary
Multiple vulnerabilities exist in the Cisco Catalyst SD-WAN Manager, with active in-the-wild exploitation confirmed for CVE-2026-20128 and CVE-2026-20122.While industry focus has heavily targeted "CVE-2026-20127", the broader threat involves parallel exploitation of insufficient file system access and API mishandling, leading to potential root escalation and arbitrary file overwrites.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1190
(Exploit Public-Facing Application)

T1505.003
(Server Software Component: Web Shell).

CVE Profile

CVE-2026-20129 (CVSS 9.8)

CVE-2026-20127 (CVSS 9.8)

CVE-2026-20126 (CVSS 7.8)

CVE-2026-20133 (CVSS 7.5)

CVE-2026-20128 (CVSS 7.5)

CVE-2026-20122 (CVSS 7.1)

CISA KEV Status
Active
(Emergency Directive issued February 25, 2026).

Telemetry

Target Path
/reports/data/opt/data/containers/config/data-collection-agent/.dca

Target Path
/dataservice/smartLicensing/uploadAck

Malicious Endpoint
/cmd[.]gz/cmd[.]jsp

Constraint
The structure resembles a web shell deployment, as suggested by the .war and .jsp file extensions logged during the unauthorized uploadAck API interactions.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate emergency patching protocol per CISA directive for all Cisco Catalyst SD-WAN Manager instances.

DETECT (DE) – Monitoring & Analysis

Command
Query SIEM for anomalous HTTP POST requests to /dataservice/smartLicensing/uploadAck.

Command
Monitor /var/log/nms/containers/service-proxy/serviceproxy-access.log for unauthorized GET requests targeting the .dca credential file.

RESPOND (RS) – Mitigation & Containment

Command
Isolate affected SD-WAN Manager instances from the internet immediately.

Command
Extract and analyze the vmanage-server.log to conduct forensics for unauthorized .war deployments.

RECOVER (RC) – Restoration & Trust

Command
Rebuild the Catalyst SD-WAN fabric from known-good, offline backups if /cmd.gz/cmd.jsp is detected in access logs.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Implement strict network access control lists (ACLs) to limit SD-WAN Manager API and web UI access to trusted administrative IP addresses only.

Command
Disable HTTP for the Cisco Catalyst SD-WAN Manager web UI administrator portal.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Acknowledge threat level is Theoretical/Low. Cisco Catalyst SD-WAN Manager is an enterprise appliance not found in standard home environments.

Priority 2: Identity

Command
Ensure standard home routers are updated to the latest firmware and default administrative passwords are changed.

Priority 3: Persistence

Command
Check local router administrative interfaces for unexpected configuration changes or unrecognized devices.

Hardening & References

Baseline
CIS Benchmarks for Cisco IOS/Network Devices.

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Cisco Security Advisory

Cybersecurity Dive Article

CVE-2026-20127

CVE-2026-20133

CVE-2026-20128