嗯,用户让我用中文总结一篇文章,控制在100字以内,而且不需要特定的开头。首先,我需要通读文章内容,抓住主要信息。 文章主要讲的是Cisco发现两个最近修补的漏洞CVE-2026-20128和CVE-2026-20122正在被积极利用。这两个漏洞分别允许本地和远程攻击者获取权限或覆盖文件。Cisco建议用户立即更新软件以减少风险。 接下来,我需要将这些信息浓缩到100字以内。要注意关键点:漏洞名称、影响、攻击类型以及建议措施。 可能的结构是:Cisco警告两个漏洞被利用,分别允许本地和远程攻击者获取权限或覆盖文件,建议立即更新软件以减少风险。 这样既涵盖了主要信息,又符合字数限制。 </think> Cisco警告称,两个最近修补的Catalyst SD-WAN漏洞CVE-2026-20128和CVE-2026-20122已被积极利用。前者允许本地认证攻击者获取DCA权限,后者允许远程认证攻击者通过API覆盖文件并提升权限。 Cisco敦促用户立即应用安全更新以降低风险。 2026-3-6 15:14:43 Author: securityaffairs.com(查看原文) 阅读量:9 收藏
Cisco flags ongoing exploitation of two recently patched Catalyst SD-WAN flaws
Cisco warns that two recently patched Catalyst SD-WAN flaws, CVE-2026-20128 and CVE-2026-20122, are already being actively exploited in the wild.
Cisco warned customers that threat actors are actively exploiting two recently patched Catalyst SD-WAN vulnerabilities, CVE-2026-20128 and CVE-2026-20122. The networking giant urged organizations to apply the latest security updates to reduce the risk of compromise.
“Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files.” reads the advisory published by CISCO.
Cisco released security patches on February 25 for five Catalyst SD-WAN vulnerabilities, including fixes for critical and high-severity flaws that could allow attackers to access systems and gain root privileges. On March 5, the company updated its advisory to warn that two of them, CVE-2026-20128 and CVE-2026-20122, are already being exploited in the wild.
The flaw CVE-2026-20128 exposes the Data Collection Agent feature, letting a local authenticated attacker gain DCA privileges, while the vulnerability CVE-2026-20122 allows a remote authenticated attacker to overwrite arbitrary files through the SD-WAN Manager API and escalate privileges.
“In March 2026, the Cisco PSIRT became aware of active exploitation of the vulnerabilities that are described in CVE-2026-20128 and CVE-2026-20122 only.” reads the update. “The vulnerabilities that are described in the other CVEs in this advisory are not known to have been compromised. Cisco strongly recommends that customers upgrade to a fixed software release to remediate these vulnerabilities.”
The company did not share details about the attacks exploiting this vulnerability.
At the end of February, the company warned of another critical SD-WAN vulnerability, tracked as CVE-2026-20127 (CVSS score of 10.0), that has been actively exploited since 2023. The flaw affects Catalyst SD-WAN Controller and Manager and allows remote, unauthenticated attackers to bypass authentication and gain full administrative access by sending a crafted request to vulnerable systems.
“This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system.” reads the advisory. “A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”
The vulnerability impacts all Cisco Catalyst SD-WAN deployments, regardless of configuration. Affected environments include:
- On-Prem deployments
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud – Cisco Managed
- Cisco Hosted SD-WAN Cloud – FedRAMP
Cisco credited the Australian Signals Directorate’s Australian Cyber Security Centre (ASD-ACSC) for reporting the issue and is tracking related exploitation under the name UAT-8616, describing the actor as highly sophisticated.
The flaw has been fixed in updated Cisco Catalyst SD-WAN releases, including: 20.9.8.2, 20.12.5.3, 20.12.6.1, 20.15.4.2, and 20.18.2.1. Customers running versions prior to 20.9.1 are advised to migrate to a patched release.
Cisco Talos tracks the exploitation as UAT-8616, a highly sophisticated threat actor active since at least 2023. Investigators found the group likely downgraded software to escalate privileges to root, exploited CVE-2022-20775, and then restored the original version to maintain stealthy root access. The campaign highlights the ongoing targeting of network edge devices to gain persistent access to high-value and critical infrastructure organizations. Customers are urged to apply the security updates immediately.
“Talos clusters this exploitation and subsequent post-compromise activity as “UAT-8616” whom we assess with high confidence is a highly sophisticated cyber threat actor. After the discovery of active exploitation of the 0-day in the wild, we were able to find evidence that the malicious activity went back at least three years (2023).” reads the report published by Cisco Talos. “Investigation conducted by intelligence partners identified that the actor likely escalated to root user via a software version downgrade. The actor then reportedly exploited CVE-2022-20775 before restoring back to the original software version, effectively allowing them to gain root access.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Cisco)
如有侵权请联系:admin#unsafe.sh