CISA Warns of Cisco Catalyst SD-WAN Manager Vulnerabilities Exploited in Attacks

CISA has added three critical Cisco Catalyst SD-WAN Manager vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies and organizations to act immediately.

All three flaws were added on April 20, 2026, with a tight remediation deadline of April 23, 2026.

The three vulnerabilities affect Cisco Catalyst SD-WAN Manager, a widely used platform for managing enterprise SD-WAN infrastructure.

Here’s a breakdown:

• CVE-2026-20133 (CWE-200 – Sensitive Information Exposure): This flaw allows remote, unauthenticated attackers to view sensitive information on affected systems.
• No login is required to exploit this vulnerability, making it particularly dangerous for internet-exposed deployments.
• CVE-2026-20122 (CWE-648 – Incorrect Use of Privileged APIs): Caused by improper handling of files on the API interface, this vulnerability allows an attacker to upload a malicious file to the local file system.
• A successful exploit grants the attacker vmanage user privileges, enabling deep access and control over the SD-WAN environment.
• CVE-2026-20128 (CWE-257 – Passwords Stored in Recoverable Format): An authenticated local attacker can exploit this flaw by accessing a credential file stored in a recoverable format on the filesystem.
• This allows privilege escalation to the DCA user level, even from a low-privileged account.

SD-WAN managers sit at the heart of enterprise network infrastructure, controlling routing, policies, and device configurations across distributed locations.

Compromising this platform can give attackers broad lateral movement capabilities, enabling them to pivot across the entire network.

While ransomware involvement is currently listed as “unknown,” the exploitation of SD-WAN management platforms has historically preceded large-scale network intrusions.

CISA has issued Emergency Directive 26-03, along with dedicated Hunt & Hardening Guidance for Cisco SD-WAN Devices, underscoring the threat’s severity.

Organizations that cannot apply mitigations are directed to discontinue use of the product per BOD 22-01 guidance for cloud services.

Recommended Actions

• Apply all available patches and security updates from Cisco immediately.
• Review CISA’s Emergency Directive 26-03 for specific exposure assessment steps.
• Follow CISA’s Hunt & Hardening Guidance to detect signs of compromise.
• Restrict API access and audit local file system permissions on affected systems.
• Monitor for unusual privilege escalation or unauthorized file uploads.

With the due date set for April 23, 2026, Federal Civilian Executive Branch (FCEB) agencies have virtually no time to delay.

Private sector organizations managing Cisco SD-WAN deployments should treat this advisory with equal urgency, as active exploitation in the wild makes these vulnerabilities an immediate risk to network integrity.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.