Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

Security teams might be overlooking wider threat to Cisco SD-WAN

Researchers from VulnCheck warn that a misattributed proof of concept ignores a separate, high-severity flaw.

Published March 17, 2026
David Jones's headshot
Reporter
The Cisco office at Santana Row Shopping Mall in San Jose California.
A Cisco office in San Jose, Calif., on April 11, 2025. The company is seeing widespread exploitation of flaws in Cisco SD-WAN products. Getty Images

As a wave of exploitation attempts target Cisco Software Defined Wide-Area Networking Systems, security teams might be overlooking a separate, important threat to the application, according to a report released Friday from vulnerability research firm VulnCheck. 

Researchers warned that a closely watched zero-day flaw in Cisco SD-WAN, tracked as CVE-2026-20127, might not be the only major target of exploitation attempts. VulnCheck researchers said the more immediate threat could be a high-severity flaw tracked as CVE-2026-20133, which is linked to insufficient file system access restrictions.

“The security community may be focusing too narrowly on CVE-2026-20127, while other SD-WAN vulnerabilities may also present notable risk and could be overlooked due to misattributed PoC exploits and incomplete detections,” Caitlin Condon, VP of security research at VulnCheck, told Cybersecurity Dive. 

The threats are considered a priority among many in the security community, as the Cybersecurity and Infrastructure Security Agency issued an emergency directive on Feb. 25, ordering federal executive branch agencies to take immediate action to assess and patch Cisco SD-WAN Manager systems. 

Researchers from Cisco Talos, in a Feb. 25 report, warned that a threat actor, tracked as UAT-8616, has been engaged in exploitation activity dating back to 2023. Cisco Talos said the threat actor had been targeting CVE-2026-20127, which is a vulnerability in Cisco Catalyst SD-WAN Controller, as well as CVE-2022-20775, which allows an authenticated, local attacker to gain elevated privileges. 

Successful exploitation of CVE-2026-20127 allows an attacker to bypass authentication and gain administrative privileges on a targeted system, according to Cisco Talos. 

VulnCheck said that in early March, several security firms reported in-the-wild exploitation after a proof of concept was released on March 3 by ZeroZenX Labs. It added that the proof of concept did not actually exploit CVE-2026-20127, but exploited several other vulnerabilities. 

VulnCheck tested the exploit and found it valid, but identified three other vulnerabilities that were impacted. These include CVE-2026-20133, a vulnerability in the Data Collection Agent of Cisco SD-WAN tracked as CVE-2026-20128 and CVE-2026-20122

Researchers from Defused looked at VulnCheck’s findings and agreed there is exploitation taking place on multiple fronts. 

“So from that sense our data supports VulnCheck's framing: 20127 is generating enormous automated noise with a widely circulated PoC, while 20133 activity, if present, has a far quieter footprint,” Simo Kohonen, founder and CEO of Defused, told Cybersecurity Dive.

Cisco updated its advisory earlier this month to reflect active exploitation of the latter two flaws. 

A spokesperson for Cisco was not immediately available, nor was a spokesperson for CISA.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Realm.Security Rolls Out AI-Ready Security Data for the Modern SOC Ahead of RSA Conference
From Realm.Security
March 16, 2026
Realm.Security logo
Teqtivity Analysis: Ghost Assets Are the Breach Your Security Stack Can’t Stop
From Teqtivity
March 04, 2026
Teqtivity logo
AU10TIX Enters a New Phase to Support Enterprises Navigating Risk and Regulatory Complexity
From AU10TIX
February 25, 2026
AU10TIX logo
Why Edge RF Awareness Is Essential for the M2M Era
From Digital Global Systems
March 16, 2026
Digital Global Systems logo
Editors' picks
Latest in Vulnerability
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell