Two critical vulnerabilities were patched in the SD-WAN vManage software, alongside three high-severity issues. The bugs are not dependent on one another and their exploitation doesn’t require exploitation of the others.

One of the critical flaws (CVE-2021-1468, CVSS score 9.8) could allow unauthenticated, remote attackers to call privileged actions and even create new administrative accounts, thus being able to view, change, or delete data. The second critical bug (CVE-2021-1505, CVSS score 9.1) impacts the web-based management interface of SD-WAN vManage and could allow attackers to gain elevated privileges.