Cisco has published a series of critical updates to address security vulnerabilities that could allow an attacker to execute arbitrary code on the targeted system. These updates primarily address the Catalyst SD-WAN Controller and Catalyst SD-WAN Manager. The firm is taking action against major threats that could soon impact all users globally.
CVE-2026-20127 is the most severe vulnerability, with the highest possible CVSS of 10.0. This CVE score qualifies it as an extreme security vulnerability that requires urgent remediation. As the impact of this vulnerability is very critical, it can potentially let unauthenticated attackers take advantage of the system. CVE-2026-20128 has a CVSS score of 5.5. An attacker with user privileges for the Data Collection Agent (DCA) on affected systems may exploit this vulnerability to achieve arbitrary code execution and potentially information disclosure.
Vulnerability Details and Impact
The two vulnerabilities in question have caused justifiable panic and concern in the cybersecurity community. Given CVE-2026-20127’s critical rating, Cisco has strongly encouraged its users to install affected patches as soon as possible.
Cisco has made fixes available across multiple software versions: CVE-2026-20127 is addressed in versions 20.9.8.2, 20.12.5.3, and 20.12.6.1, while CVE-2026-20128 is resolved in versions 20.12.6.1 and 20.15.4.2. Through proactive mitigations, the company’s focus is on minimizing risks from these vulnerabilities and protecting users against possible exploitation.
This was not the only vulnerability that researchers found. The most serious of them, CVE-2026-20122, has a CVSS score of 7.1 and allows authenticated remote attackers to overwrite arbitrary files on local file systems. Cisco similarly fixed CVE-2026-20126, CVE-2026-20129, and CVE-2026-20133 in its most recent update.
High-Severity Vulnerabilities in Secure Firewall Management Center
Additionally, Cisco’s Secure Firewall Management Center has been found to contain two maximum-severity vulnerabilities: CVE-2026-20079 and CVE-2026-20131, both scoring 10.0 on the CVSS scale. Unauthenticated remote attackers may be able to exploit these vulnerabilities. They can use this to bypass authentication and run arbitrary Java code as root on affected devices.
Beyond that, the impact of these vulnerabilities is massive, threatening access to sensitive systems and data integrity. If your organization uses Cisco’s Secure Firewall Management Center, you need to move fast. Apply these suggested patches as soon as possible to safeguard your networks.
“We expect activity to continue as part of the typical long tail of exploitation, as more threat actors become involved. With mass and opportunistic exploitation at play, any exposed system should be considered compromised until proven otherwise.” – Ryan Dewhurst
Recent Attack Trends and Recommendations
Add to that recent activity around these vulnerabilities and you see a significant uptick in exploitation attempts. According to cybersecurity expert Ryan Dewhurst, activity increased by nearly 500 percent just on March 4. Attacks were fairly evenly distributed across the globe, with areas based in the U.S. experiencing just marginally more activity compared to those based outside of the U.S. This continuing trend emphasizes the need for institutions to evaluate their own systems for risky exposures.
As the risk and exploitation landscape changes rapidly, Cisco gives the urgent reminder to install these updates as quickly as possible. We urge all organizations to continue to stay alert and actively monitor their IT environment for any indicators of compromise.