CISA Flags Two Actively Exploited Vulnerabilities in KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has escalated its defense posture against nation-state actors and cybercriminals by adding two critical Cisco Catalyst SD-WAN vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog.
These flaws, CVE-2022-20775 and CVE-2026-2012.7, are now confirmed as actively exploited in the wild, prompting the Binding Operational Directive (BOD) 22-01 mandates for Federal Civilian Executive Branch (FCEB) agencies to patch by specified deadlines.
The KEV Catalog’s role as a “living list” of high-risk Common Vulnerabilities and Exposures (CVEs) was established under BOD 22-01 to reduce the risk of exploitation across federal networks.
While BOD 22-01 binds FCEB entities, CISA urges all organizations, including the private sector, to prioritize remediation, as these flaws serve as prime vectors for ransomware, data exfiltration, and lateral movement in enterprise environments.
CVE-2022-20775:
This vulnerability affects Cisco Catalyst SD-WAN controllers running versions before 20.9.1. This directory traversal flaw (CVSS 5.3, medium severity) allows unauthenticated remote attackers to read arbitrary files on the underlying OS via crafted HTTP requests.
Exploitation hinges on manipulating path parameters in vManage’s web interface to bypass access controls.
Technical Breakdown: Attackers append sequences l../../../etc/passwd to endpoints, exploiting insufficient input sanitization in the path-handling logic.
Successful hits disclose sensitive configs, credentials, or system files, enabling privilege escalation. Evidence of active exploitation includes scans detected by CISA partners and IOCs, such as anomalous HTTP traffic to vManage ports (typically 8443).
Patch Details: Cisco released fixes in:
- vManage 20.9.1 and later.
- IOS XE SD-WAN 17.9.1a and later.
Federal agencies must apply patches by March 18, 2026 (21-day BOD window). Workarounds include disabling HTTP/HTTPS exposure to untrusted networks and enforcing network segmentation. Verify via Cisco’s advisory:Â CVE-2022-20775.
CVE-2026-20127:
Newer and more severe (CVSS 9.8, critical), this flaw impacts Catalyst SD-WAN controllers and managers in versions before 20.14.2. It enables unauthenticated attackers to bypass authentication entirely, gaining admin-level access to the web UI.
Technical Breakdown:Â The bug stems from a flaw in the authentication middleware’s session token validation. Attackers craft malicious requests that exploit race conditions in login flows, forging valid sessions without credentials.
Post-bypass, threat actors can execute arbitrary CLI commands, alter configs, or deploy malware. Real-world exploitation ties to APT groups scanning SD-WAN deployments globally.
Patch Details: Upgrade to:
- vManage 20.14.2 or later.
- Controller/Manager 20.14.2 or later.
FCEB deadline: March 11, 2026 (14-day window for criticals). Interim mitigations: Restrict UI access to VPN-only, enable MFA, and monitor for anomalous logins. Full advisory:Â CVE-2026-20127.
CISA’s action highlights SD-WAN’s ubiquity in hybrid networks, where misconfigs amplify risks. Organizations should integrate KEV scanning into SIEM workflows and vulnerability management.
As cyber threats evolve, timely patching remains the frontline defense against non-compliance risks, BOD enforcement, and heightened exposure to breaches.
Site: cybersecuritypath.com
About the Author
