Cisco disclosed this week that a new vulnerability in its Catalyst SD-WAN Manager platform is being actively exploited in the wild, with no patch currently available.
It is the seventh flaw in Cisco's SD-WAN product line confirmed as actively exploited this year alone, arriving in a campaign that has run continuously since at least 2023.
The latest vulnerability allows an attacker with existing administrative access to escalate privileges and execute commands at the highest level of system control. Cisco has observed cases in which successful exploitation resulted in configuration changes being pushed to downstream edge devices.
That downstream reach matters as much as the initial access. Catalyst SD-WAN Manager functions as the orchestration layer for an organization's entire WAN fabric, meaning a compromise there can propagate changes across distributed infrastructure at scale.
The broader campaign reflects a pattern that has become consistent across the 2026 disclosures. A sophisticated threat actor tracked by Cisco Talos as UAT-8616 has been exploiting SD-WAN infrastructure since at least 2023, chaining earlier vulnerabilities to gain initial access and then using that foothold to escalate toward deeper control.
At least ten additional threat clusters began their own exploitation activity after proof-of-concept code became publicly available. The methods involve modifying network configurations, injecting authentication credentials, and clearing logs to conceal activity.
The concentration of risk in the management plane is worth noting as SD-WAN platforms consolidate control over distributed WAN infrastructure into a relatively small number of management nodes, and a compromise at that layer carries consequences that a compromise of a single edge device does not.
That dynamic is not unique to Cisco, but the sustained targeting here is specific to Cisco's platform and its deployment footprint across enterprise and government networks.
Cisco has recommended that customers with internet-exposed management systems review authentication logs for signs of unauthorized access.
Seven confirmed exploited flaws in under six months across a single product line suggests sustained, targeted interest rather than broad opportunistic scanning.
For enterprise operators running Cisco SD-WAN, patching cadence alone may be insufficient when vulnerabilities are being actively chained before fixes become available. Detection and response posture may need to carry more weight than it typically does while vendor remediation remains pending.
