The Cybersecurity and Infrastructure Security Agency on Monday said hackers were exploiting three more of the vulnerabilities in Cisco’s networking appliances that the company disclosed in late February.
CISA added the three vulnerabilities — CVE-2026-20122, CVE-2026-20128 and CVE-2026-20133 — to its Known Exploited Vulnerabilities catalog, indicating that the agency has seen these flaws being used in ongoing malicious activity.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in a statement about the addition of the three Cisco flaws and four others to the KEV.
After Cisco announced the vulnerabilities, along with several others, on Feb. 25, CISA issued an emergency directive ordering federal agencies to patch the flaws, saying hackers were already exploiting one of them. With Monday’s update to the KEV catalog, the government has now confirmed that hackers are exploiting four of the six vulnerabilities that Cisco announced in February.
CVE-2026-20122, a flaw affecting Cisco networking products’ API interface, could let an intruder with read-only access to the system nonetheless overwrite system files. CVE-2026-20128 could enable an attacker to access an unsecured password file and use the password to log into the system. CVE-2026-20133, meanwhile, stems from poorly configured access restrictions and could let an attacker view sensitive information without authentication.
In March, after Cisco announced the six flaws, VulnCheck researchers warned that defenders should look beyond the one vulnerability with then confirmed exploitation and pay particular attention to CVE-2026-20133.
At the time, Caitlin Condon, vice president of security research at VulnCheck, told Cybersecurity Dive that “misattributed PoC exploits and incomplete detections” could account for why researchers weren’t seeing attacks exploiting that flaw and others.
Cisco previously confirmed that hackers were weaponizing CVE-2026-20122 and CVE-2026-20128, but it has not confirmed exploitation of CVE-2026-20133.
Pursuant to a binding operational directive, federal agencies have until April 23 to patch the seven vulnerabilities that CISA added to the KEV catalog on Monday.
