Andere informatie en diensten van de overheid: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Multiple critical vulnerabilities in several Cisco products, including Cisco Secure Firewall and Cisco Catalyst SD-WAN Manager. Some are being actively exploited, Patch Immediately!

Image
Decorative image
Gepubliceerd : 05/03/2026

. * Last Update: 05/03/2026

    * Affected products:
         → Cisco Secure Firewall:
         → Adaptive Security Appliance
         → Management Center Software
         → Threat Defense Software
         → Cisco Catalyst SD-WAN Manager

    * Type:

  • CWE-288: Authentication Bypass Using an Alternate Path or Channel
  • CWE-502: Deserialization of Untrusted Data
  • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWE-330: Use of Insufficiently Random Values
  • CWE-770: Allocation of Resources Without Limits or Throttling
  • CWE-401: Missing Release of Memory after Effective Lifetime
  • CWE-244: Improper Clearing of Heap Memory Before Release ('Heap Inspection')
  • CWE-772: Missing Release of Resource after Effective Lifetime
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • CWE-648: Incorrect Use of Privileged APIs
  • CWE-257: Storing Passwords in a Recoverable Format
  • CWE-287: Improper Authentication
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

    * CVE/CVSS:

  • CVE-2026-20079: CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
  • CVE-2026-20131: CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
  • CVE-2026-20100: CVSS 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
  • CVE-2026-20101: CVSS 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
  • CVE-2026-20103: CVSS 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
  • CVE-2026-20105: CVSS 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
  • CVE-2026-20106: CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
  • CVE-2026-20039: CVSS 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
  • CVE-2026-20082: CVSS 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
  • CVE-2026-20001: CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
  • CVE-2026-20002: CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
  • CVE-2026-20003: CVSS 4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
  • CVE-2026-20122: CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
  • CVE-2026-20126: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
  • CVE-2026-20128: CVSS 7.5 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
  • CVE-2026-20129: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • CVE-2026-20133: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Sources

Cisco

Risks

Note: The assessment is provided for the product set as a whole and should be considered a unified evaluation. It does not apply to each individual vulnerability separately, but to the collection overall.

Cisco Secure Firewall

Cisco Secure Firewall (Adaptive Security Appliance, Management Center Software, Threat Defense Software) is the platform for managing network security, including firewall rules, VPNs, intrusion prevention, and endpoint protection.

The vulnerabilities identified in Cisco Secure Firewall allow unauthenticated or authenticated attackers to perform actions ranging from remote code execution, authentication bypass, SQL injection, to denial-of-service.

The impact to confidentiality, integrity, and availability is high.

It’s especially dangerous because Cisco Secure Firewall appliances manage network traffic, VPN access, and security policies across the enterprise; exploitation could lead to full control of the management system, particularly since these devices are frequent targets for intrusions.

There is currently no evidence that these vulnerabilities have been exploited in the wild.

Cisco Catalyst SD-WAN Manager

Cisco Catalyst SD‑WAN Manager is the centralized management platform for Cisco’s SD‑WAN infrastructure, providing policy configuration, monitoring and orchestration. It plays a key role in secure connectivity, traffic steering, and distributed site communication across enterprise networks.

The identified vulnerabilities in Cisco Catalyst SD‑WAN Manager allow attackers to bypass authentication, elevate privileges, access sensitive information, and overwrite files through flaws in the API and file handling mechanisms.

The impact to confidentiality, integrity, and availability is high.

These vulnerabilities are particularly critical because SD‑WAN Manager instances have been actively targeted and exploited in the wild, making timely patching essential to prevent network compromise.

There is evidence that two vulnerabilities (CVE-2026-20128, CVE-2026-20122) are being exploited in the wild.

In both cases - Cisco Catalyst SD‑WAN Manager and Cisco Secure Firewall, an attacker can chain vulnerabilities to achieve an even greater impact.

Description

Cisco Secure Firewall

This weakness allows attackers to conduct the following:

  • Delivery - The attacker sends crafted network packets, HTTP/HTTPS requests, or API calls targeting the vulnerable firewall management interface or appliance services.
  • Input / authentication bypass - The system fails to properly validate input or enforce authentication in certain cases, allowing privilege escalation, remote code execution, or SQL injection.
  • Execute / Post compromise - Attackers can execute arbitrary code, bypass authentication, modify firewall policies, or inject commands, potentially gaining full administrative control of the appliance.
  • Post compromise impact - Attackers can manipulate network traffic, intercept VPN communications, disable security protections, disrupt services, alter firewall rules, or pivot laterally across the enterprise network.

Cisco Catalyst SD-WAN Manager

This weakness allows attackers to conduct the following:

  • Delivery - The attacker sends crafted API requests, HTTP requests, or specially formatted files to the SD WAN Manager interface.
  • Input / authentication bypass - The platform fails to properly validate API inputs or enforce authentication, allowing privilege escalation or arbitrary file modifications.
  • Execute / Post compromise - Attackers can overwrite critical system or configuration files, execute administrative commands, or gain elevated privileges within the management system.
  • Post compromise impact - Attackers can manipulate SD WAN policies, exfiltrate configuration or network information, disrupt site-to-site connectivity, inject malicious routing changes, or pivot into connected network devices.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Help Net Security - https://www.helpnetsecurity.com/2026/03/05/cisco-cve-2026-20128-cve-2026-20122-exploited/