The networking world is currently on high alert as Cisco confirms that hackers are actively breaking into its Catalyst SD-WAN Manager systems. This isn’t just a theoretical risk discussed by researchers in a lab; real-world attackers are already using these security holes to compromise corporate networks. If your business relies on Cisco’s SD-WAN technology to manage its data traffic, the message from security experts is loud and clear: you need to patch your systems immediately before you become the next victim.

The Specific Holes Hackers Are Using

Two specific vulnerabilities are at the heart of this current wave of attacks. The first one, labeled as CVE-2026-20122, is particularly nasty because it allows an intruder to overwrite files on the system. To pull this off, a hacker needs some basic credentials, but once they are in, they can essentially mess with the local file system. Think of it like a burglar who finds a side door left unlocked; once they step inside, they have the power to swap out the locks or change the blueprints of the house.

The second flaw being exploited is CVE-2026-20128. This one is an information disclosure bug. It allows someone who already has a foot in the door to gain much higher privileges—specifically “Data Collection Agent” levels. In simple terms, a low-level user can trick the system into giving them more power than they should ever have, allowing them to see data and configurations that are supposed to be off-limits. While these two are the only ones currently seeing active combat, Cisco also patched three other related flaws at the same time to prevent them from being used next.

How to Fix Your Systems Today

Cisco has been working overtime to release software updates that plug these holes. Depending on which version of the software your company is currently running, you have a specific path to safety. If you are using anything older than Version 20.91, the company says you should migrate to a newer, fixed release right away. For those on Version 20.9, you need to get onto 20.9.8.2. If you are running Version 20.11 or 20.12, the safe zones are versions 20.12.6.1 or 20.12.5.3.

The newer versions also have specific fixes. For example, if your team is on Version 20.13, 20.14, or 20.15, you must move to 20.15.4.2. Finally, for those on the cutting-edge Version 20.16 or 20.18, the version you want is 20.18.2.1. It might seem like a lot of numbers to keep track of, but missing even one update could leave a back door wide open for a cybercriminal to walk through.

A Bigger Threat is Lurking

This news comes at a scary time for Cisco users. Just last week, the company admitted that a massive, “perfect 10” security flaw was used by a sophisticated group of hackers known as UAT-8616. This group wasn’t just looking for a quick score; they were trying to set up a permanent home inside high-value companies. When a flaw gets a CVSS score of 10.0, it means the door isn’t just unlocked—it’s been taken off the hinges.

As if that wasn’t enough, Cisco also had to rush out fixes for its Secure Firewall Management Center this week. Those flaws also carried that terrifying 10.0 rating. They allowed attackers to skip the login screen entirely and run their own code with total control over the device. It is clear that Cisco products are currently a major target for high-level digital spies and criminals.

Steps to Protect Your Network

Beyond just hitting the “update” button, there are several common-sense steps you should take right now to lock down your gear. First, stop letting your management portals face the open internet. Put them behind a strong firewall and only allow trusted people to access them. You should also turn off any old-school services like FTP or HTTP if you aren’t using them, as these are often used as easy entry points for hackers.

Make sure your administrators change their passwords immediately, especially if they are still using the ones that came with the device. Finally, keep a very close eye on your traffic logs. If you see data moving to a strange location or someone logging in at 3:00 AM from a country where you don’t have offices, you need to act fast. The “active exploitation” phase means the clock is ticking, and the best defense is a proactive one.