As a wave of exploitation attempts target Cisco Software Defined Wide-Area Networking Systems, security teams might be overlooking a separate, important threat to the application, according to a report released Friday from vulnerability research firm VulnCheck.
Researchers warned that a closely watched zero-day flaw in Cisco SD-WAN, tracked as CVE-2026-20127, might not be the only major target of exploitation attempts. VulnCheck researchers said the more immediate threat could be a high-severity flaw tracked as CVE-2026-20133, which is linked to insufficient file system access restrictions.
“The security community may be focusing too narrowly on CVE-2026-20127, while other SD-WAN vulnerabilities may also present notable risk and could be overlooked due to misattributed PoC exploits and incomplete detections,” Caitlin Condon, VP of security research at VulnCheck, told Cybersecurity Dive.
The threats are considered a priority among many in the security community, as the Cybersecurity and Infrastructure Security Agency issued an emergency directive on Feb. 25, ordering federal executive branch agencies to take immediate action to assess and patch Cisco SD-WAN Manager systems.
Researchers from Cisco Talos, in a Feb. 25 report, warned that a threat actor, tracked as UAT-8616, has been engaged in exploitation activity dating back to 2023. Cisco Talos said the threat actor had been targeting CVE-2026-20127, which is a vulnerability in Cisco Catalyst SD-WAN Controller, as well as CVE-2022-20775, which allows an authenticated, local attacker to gain elevated privileges.
Successful exploitation of CVE-2026-20127 allows an attacker to bypass authentication and gain administrative privileges on a targeted system, according to Cisco Talos.
VulnCheck said that in early March, several security firms reported in-the-wild exploitation after a proof of concept was released on March 3 by ZeroZenX Labs. It added that the proof of concept did not actually exploit CVE-2026-20127, but exploited several other vulnerabilities.
VulnCheck tested the exploit and found it valid, but identified three other vulnerabilities that were impacted. These include CVE-2026-20133, a vulnerability in the Data Collection Agent of Cisco SD-WAN tracked as CVE-2026-20128 and CVE-2026-20122.
Researchers from Defused looked at VulnCheck’s findings and agreed there is exploitation taking place on multiple fronts.
“So from that sense our data supports VulnCheck’s framing: 20127 is generating enormous automated noise with a widely circulated PoC, while 20133 activity, if present, has a far quieter footprint,” Simo Kohonen, founder and CEO of Defused, told Cybersecurity Dive.
Cisco updated its advisory earlier this month to reflect active exploitation of the latter two flaws.
A spokesperson for Cisco was not immediately available, nor was a spokesperson for CISA.
