I had literally just wrapped up the Android zero-day write-up — another “patch your damn devices, yes right now” piece — and before I could finish my fourth coffee of the morning, Cisco drops the confirmation that two more vulnerabilities in Catalyst SD-WAN Manager are being actively exploited in the wild. Mass exploitation. Web shells being deployed. Attacks spiking on March 4 from multiple IP ranges across multiple regions globally. And you know what the kicker is? One of the CVEs in this product family — CVE-2026-20127, CVSS 10.0, a perfect score — has been exploited in Cisco SD-WAN since 2023. Three years. The vulnerability has been weaponized since approximately the Biden first term, and organizations still had unpatched Cisco SD-WAN devices sitting exposed on the internet in 2026.

I don’t have words. I have profanity. Let me use some of it.

What’s Happening Right Now

Per The Hacker News (March 4, 2026), Cisco confirmed that CVE-2026-20122 and CVE-2026-20128 in Catalyst SD-WAN Manager are under active exploitation. watchTowr’s head of proactive threat intelligence Ryan Dewhurst stated publicly: “The largest spike in activity occurred on March 4, with attacks widely spread across various regions worldwide, and U.S.-based areas saw slightly higher activity than others. We expect activity to continue as part of the typical long tail of exploitation, as more threat actors become involved. With mass and opportunistic exploitation at play, any exposed system should be considered compromised until proven otherwise.”

Any exposed system. Should be considered compromised. Until proven otherwise. That is not normal vulnerability advisory language. That is a security researcher telling you your house is probably already on fire and you haven’t noticed the smoke yet.

watchTowr observed exploitation attempts from numerous unique IP addresses, with attackers deploying web shells after successful exploitation. Web shells. Not just scanning, not just reconnaissance, not just proof-of-concept pokes — actual post-exploitation persistence via web shell installation. Attackers are establishing footholds, not just kicking the tyres.

The related CVE-2026-20127 (CVSS 10.0 — maximum, perfect severity score) had already been added to CISA’s Known Exploited Vulnerabilities catalog alongside CVE-2022-20775 — a 2022 vulnerability in the same product family that Cisco SD-WAN defenders apparently also failed to patch in the intervening four years. CISA mandated Federal Civilian Executive Branch agencies to patch both within 24 hours. Twenty-four hours. That’s CISA’s way of saying this is on fire right now, not “put it on the roadmap.”

This is also connected to activity by a threat actor tracked as UAT-8616, which Cisco Talos described as demonstrating “a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high-value organizations, including Critical Infrastructure (CI) sectors.” Network edge. Persistent footholds. Critical infrastructure. Let that sit for a moment while you inventory your Cisco SD-WAN deployment.

Why Catalyst SD-WAN Is Such a Juicy Target

Cisco Catalyst SD-WAN Manager is the centralized management and orchestration plane for SD-WAN deployments. In practical terms: it’s the control panel for your distributed WAN infrastructure. Compromise it and you potentially have visibility into — and control over — every branch, every remote site, every traffic flow in the entire SD-WAN fabric. That’s not just one office. That’s the entire network. For an enterprise with SD-WAN deployed across dozens or hundreds of locations, the SD-WAN Manager is essentially the master key.

For attackers focused on critical infrastructure, the appeal is obvious. A compromised SD-WAN Manager lets you see traffic patterns, manipulate routing, install persistent backdoors on remote branch devices, and do all of this from a management interface that typically generates less suspicion than unusual endpoint activity. Edge devices, as the Google GTIG 2025 report just documented in exhaustive detail, are the primary target of nation-state espionage groups precisely because they lack EDR coverage and provide disproportionate access.

And unlike a compromised laptop or server, SD-WAN Manager compromise is genuinely difficult to detect without specific telemetry. The management plane looks like… management traffic. Administrators logging in. Configurations being pushed. Someone with access doing management-plane things. Your SIEM is not tuned to ask “wait, why is the SD-WAN Manager making configuration changes to twelve branch devices at 2am on a Saturday?” It should be. It isn’t. And the attackers know that.

What Went Wrong — The Three-Year Backlog

Let’s talk about CVE-2026-20127 for a moment. CVSS 10.0. Being exploited since 2023. Added to KEV in March 2026 alongside CVE-2022-20775 — another ancient bug. This tells us something specific and depressing about Cisco SD-WAN patching culture: these are not obscure, hard-to-find vulnerabilities in niche deployments. These are critical bugs in a major enterprise WAN platform with a direct CISA mandate, and large numbers of organizations simply… didn’t patch them. For years.

The reasons organizations don’t patch network infrastructure are well-documented and infuriatingly stupid: change management friction (the ITSM ticket isn’t approved yet), fear of disruption (what if the firmware update breaks something?), and — this is the one that makes me want to flip a table — lack of visibility into what firmware version is actually running. IT administrators who can tell you the exact patch level of every Windows workstation in the fleet often genuinely don’t know what software version is running on their Cisco SD-WAN Manager until someone asks specifically.

I covered the same dynamic in my piece about the Marquis vs. SonicWall lawsuit — that whole catastrophe happened because a firewall vendor’s own backup service had a vulnerability that exposed customer credentials, allowing attackers to walk straight through the firewall. The pattern is the same: it’s always the security infrastructure, always the management plane, always the thing that’s supposed to protect everything else. These devices get treated as infrastructure rather than attack surface, and the patching discipline is systematically worse.

The FileZen CVE-2026-25108 KEV listing earlier this year demonstrated the exact same gap: CISA adds something to KEV with an urgent remediation deadline, and a significant proportion of affected organizations discover in the process that they had no automated mechanism for rapidly identifying and patching the affected systems. Every time. The same discovery. The same scramble.

The Fixer’s Advice — Here’s What You Do Right Now

If you are running Cisco Catalyst SD-WAN Manager in any capacity, whether it’s a handful of branch offices or a global enterprise deployment, here is your action plan. Not this week. Today.

Step 1: Determine your exposure immediately. Is your Cisco SD-WAN Manager interface exposed to the internet? It should not be. Management interfaces should be accessible only from dedicated management networks or via out-of-band access paths — never directly internet-accessible. If yours is internet-facing right now, that is your first problem and it predates the CVE conversation entirely. Put it behind a management network or VPN immediately.

Step 2: Pull your firmware version right now. Log into your SD-WAN Manager and find out what software version you’re running. Compare it against Cisco’s security advisory for CVE-2026-20122 and CVE-2026-20128. If you’re not running the patched version, you have unpatched actively exploited vulnerabilities in production. Schedule the emergency maintenance window. Tonight, if at all possible.

Step 3: Assume compromise and hunt. Following watchTowr’s guidance — “any exposed system should be considered compromised until proven otherwise” — run through your SD-WAN Manager for indicators of compromise before you simply patch and move on. Look for: unexpected admin accounts created, web shells or unusual files in web-accessible directories, configuration changes you didn’t make, unexpected outbound connections from the management platform, and authentication events from unexpected IP addresses or at unexpected times. If you find anything suspicious: isolate, preserve forensic evidence, and escalate. Patching over an active compromise without evicting the attacker first just gives them a patched box to continue operating from.

Step 4: Review your SD-WAN Manager access controls. Multi-factor authentication on the management interface: is it enabled? If not, turn it on today. Role-based access control: are there admin accounts that belong to people who have left the organization, contractors whose engagements ended, or third-party vendors who “might need access sometime”? Revoke them. Account for every admin credential. This ties directly to what I wrote about ShinyHunters burning SSO victims alive — the management plane is only as secure as the credential management around it.

Step 5: Enable NetFlow and management-plane logging. SD-WAN Manager should be generating authentication logs, API call logs, and configuration change logs that flow into your SIEM. Write detection rules for: admin logins outside business hours, bulk configuration changes, new admin account creation, and API calls from unexpected source IPs. These rules will catch both exploitation attempts and post-exploitation activity. They should have been written before now. Write them now.

Step 6: Check your full Cisco CVE backlog. CVE-2022-20775 — a 2022 bug — being on CISA’s KEV in March 2026 means someone in your organization failed to patch a four-year-old critical vulnerability. Run the full Cisco PSIRT advisory list against your entire Cisco infrastructure inventory, not just SD-WAN. Check IOS XE. Check FTD. Check Meraki. Check everything with a Cisco logo on it. I guarantee there are other unpatched critical vulnerabilities sitting in your environment that haven’t been turned into a news cycle yet. Find them before someone else does.

The phrase “mass and opportunistic exploitation” from watchTowr means every script kiddie who read the advisory is now running scans. This is not a sophisticated nation-state campaign requiring custom tooling. This is commoditized exploitation of a known vulnerability, accessible to anyone with a scanner and an internet connection. You have a shrinking window to get ahead of it.