CISA warns of Cisco Catalyst SD-WAN Manager flaws exploited in attacks
4 min. read 
Published on
CISA has added three Cisco Catalyst SD-WAN Manager vulnerabilities to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The agency’s move means defenders should treat these bugs as an immediate incident-response priority, not a routine patch cycle.
The three CVEs are CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128. Cisco says the flaws can expose sensitive information, allow arbitrary file overwrite through the API, and disclose a recoverable password that can be used to gain DCA user access on another affected system.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
This matters because Catalyst SD-WAN Manager sits close to the center of enterprise network control. A compromise there can give attackers visibility into management operations and a path toward deeper control over distributed infrastructure. CISA has already issued Emergency Directive 26-03 and separate hunt and hardening guidance for Cisco SD-WAN systems, which shows how seriously the agency views the threat.
What the three flaws do
Cisco says CVE-2026-20133 is an information disclosure vulnerability that allows a remote, unauthenticated attacker to view sensitive information on an affected system. NVD mirrors that description and notes that no authentication is required for exploitation.
Cisco says CVE-2026-20122 is an arbitrary file overwrite flaw in the API. A remote attacker with valid read-only credentials can upload a malicious file to the local filesystem and gain vmanage user privileges if exploitation succeeds.
Cisco says CVE-2026-20128 involves a credential file stored in recoverable form. A remote, unauthenticated attacker can read that file, obtain the DCA password, and then use it to access another affected system with DCA user privileges. Cisco also says release 20.18 and later are not affected by CVE-2026-20128.
Why defenders should move fast
The key issue is not just severity. It is confirmed real-world exploitation. CISA says vulnerabilities added to the KEV catalog are frequent attack vectors and pose significant risk to the federal enterprise. The KEV catalog entry also shows an April 23, 2026 remediation deadline for federal agencies on these Cisco flaws.
Cisco’s advisory adds another reason to move quickly. The company included indicators of compromise for CVE-2026-20128 and CVE-2026-20122, which means patching alone may not be enough if a system was already touched before remediation.
CISA’s broader SD-WAN guidance also pushes agencies to inventory affected systems, collect forensic artifacts, apply updates, and hunt for signs of compromise. That guidance goes beyond simple patching and points to a higher risk that attackers may already have footholds in exposed environments.
At a glance
| CVE | Vulnerability type | Access required | Potential impact |
|---|---|---|---|
| CVE-2026-20133 | Sensitive information exposure | Remote, unauthenticated | View sensitive system information |
| CVE-2026-20122 | Arbitrary file overwrite via API | Remote, authenticated with read-only credentials | Upload malicious file and gain vmanage privileges |
| CVE-2026-20128 | Password stored in recoverable format | Remote, unauthenticated | Read DCA password file and gain DCA user access on another system |
What organizations should do now
Organizations using Cisco Catalyst SD-WAN Manager should patch affected systems immediately and compare deployed versions against Cisco’s fixed release guidance. They should also review Cisco’s indicators of compromise, inspect logs, and look for suspicious API activity, unauthorized file changes, or unexpected access tied to DCA-related components.
Security teams should also reduce exposure around management interfaces. CISA’s SD-WAN guidance says organizations should inventory in-scope systems, collect forensic data, store logs externally, and review whether these systems remain internet reachable. The agency also stresses hunting for unusual peer connections, unauthorized SSH keys, anomalous root activity, and signs of log tampering.
For federal civilian agencies, the directive language is stricter and time-bound. Even private sector organizations should treat the same guidance as urgent because the exploitation is already active and the product controls high-value networking functions. That last point is an inference based on the product’s role in SD-WAN management and CISA’s emergency posture.
Recommended actions
- Apply Cisco’s security updates for affected Catalyst SD-WAN Manager releases.
- Check Cisco’s advisory for indicators of compromise tied to CVE-2026-20122 and CVE-2026-20128.
- Review CISA Emergency Directive 26-03 and the related hunt and hardening guidance.
- Audit API access, local filesystem permissions, and management-plane exposure.
- Investigate for compromise before and after patching if systems were internet exposed.
FAQ
The vulnerabilities affect Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vManage. Cisco’s advisory contains the affected and fixed release information.
Yes. CISA added all three flaws to the Known Exploited Vulnerabilities catalog on April 20, 2026, which means the agency has evidence of active exploitation.
No. Cisco says CVE-2026-20133 and CVE-2026-20128 can be exploited remotely without authentication, while CVE-2026-20122 requires authenticated remote access with valid read-only credentials.
Not always. Cisco published indicators of compromise for two of the flaws, and CISA issued hunt and hardening guidance, which suggests defenders should also check whether systems were already accessed.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages