Cisco has publicly acknowledged that two recently patched vulnerabilities, CVE-2026-20128 and CVE-2026-20122, affecting its Catalyst SD-WAN product line, are being actively exploited in the wild. These vulnerabilities relate to Cisco's software-defined wide area network (SD-WAN) solutions, which are widely used to manage and secure enterprise network traffic across distributed locations. While specific technical details of the flaws have not been disclosed in the provided information, the fact that they are exploited in the wild indicates attackers have found practical methods to leverage these weaknesses. The vulnerabilities likely allow unauthorized access or privilege escalation within the SD-WAN infrastructure, potentially enabling attackers to intercept, manipulate, or disrupt network traffic. Cisco has released patches to remediate these issues, underscoring the critical need for organizations to update affected systems promptly. The medium severity rating suggests that while the vulnerabilities are serious, exploitation may require some level of access or conditions that limit their impact compared to critical vulnerabilities. No CVSS scores are currently assigned, but the active exploitation status elevates the urgency for mitigation. The threat affects network infrastructure components that are foundational to enterprise connectivity, making it a significant concern for organizations relying on Cisco Catalyst SD-WAN for secure and efficient network operations.

The exploitation of these vulnerabilities in Cisco Catalyst SD-WAN devices can lead to unauthorized access to network management interfaces, allowing attackers to manipulate network configurations, intercept sensitive data, or disrupt network availability. This can compromise the confidentiality, integrity, and availability of enterprise network communications. Organizations may face operational disruptions, data breaches, and potential lateral movement within their networks. Given the central role of SD-WAN in modern enterprise networks, successful exploitation could impact multiple branch offices and cloud connections, amplifying the scope of damage. The medium severity rating suggests that while the vulnerabilities are serious, they may require some preconditions such as network access or authentication bypass. However, the active exploitation in the wild indicates that attackers are capable of leveraging these flaws, increasing the risk of real-world impact. Enterprises that delay patching or lack adequate network segmentation and monitoring are particularly vulnerable to these attacks.

Organizations should immediately apply the patches released by Cisco for CVE-2026-20128 and CVE-2026-20122 to eliminate the vulnerabilities. Beyond patching, network administrators should restrict access to SD-WAN management interfaces by implementing strict access control lists (ACLs) and network segmentation to limit exposure. Employ multi-factor authentication (MFA) on all administrative interfaces to reduce the risk of credential compromise. Continuous monitoring of network traffic and logs for unusual activity related to SD-WAN devices is essential to detect potential exploitation attempts early. Conduct regular vulnerability assessments and penetration testing focused on SD-WAN infrastructure to identify and remediate weaknesses proactively. Additionally, maintain up-to-date incident response plans tailored to network infrastructure attacks to ensure rapid containment and recovery. Vendor advisories and threat intelligence feeds should be monitored closely for updates or indicators of compromise related to these vulnerabilities.