CISA Orders Agencies to Secure Cisco SD-WAN Systems After New Flaw Hits Exploited List
6 min. read 
Published on
CISA has added CVE-2026-20133, a Cisco Catalyst SD-WAN Manager vulnerability, to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The agency gave U.S. federal civilian agencies until April 24, 2026, to apply mitigations, follow Cisco SD-WAN hardening guidance, or stop using affected systems if fixes are not available.
The flaw affects Cisco Catalyst SD-WAN Manager, formerly known as vManage. The product helps administrators monitor and manage large SD-WAN deployments from a central dashboard, which makes any exposed management weakness especially sensitive. Cisco patched the vulnerability in February 2026 as part of a wider Catalyst SD-WAN security advisory.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Cisco describes CVE-2026-20133 as an information disclosure vulnerability caused by insufficient file system access restrictions. An unauthenticated remote attacker could exploit the flaw through an affected system’s API and read sensitive information from the underlying operating system.
CISA adds CVE-2026-20133 to its exploited catalog
CISA added the vulnerability to the KEV catalog on April 20, 2026, along with seven other exploited vulnerabilities. The agency says KEV entries reflect evidence of active exploitation, which means defenders should prioritize remediation even if public exploit details remain limited.
The deadline matters most for Federal Civilian Executive Branch agencies, but private organizations should also treat it as an urgent risk signal. SD-WAN Manager sits in a high-value part of the network, and attackers can use exposed management systems to gather sensitive data or support broader intrusion activity.
CISA also pointed agencies to Emergency Directive 26-03 and its Cisco SD-WAN hunt and hardening guidance. That directive tells agencies to identify affected Cisco SD-WAN systems, reduce exposure, validate fixes, and hunt for signs of compromise.
What CVE-2026-20133 does
| Detail | Information |
|---|---|
| CVE | CVE-2026-20133 |
| Product | Cisco Catalyst SD-WAN Manager |
| Former product name | vManage |
| Vulnerability type | Information disclosure |
| Attack requirement | Remote, unauthenticated access |
| Root cause | Insufficient file system access restrictions |
| Possible impact | Access to sensitive information on the underlying OS |
| Cisco patch date | February 2026 |
| CISA KEV date | April 20, 2026 |
| Federal deadline | April 24, 2026 |
Cisco’s advisory says the vulnerability exists because affected systems do not properly restrict file system access. By accessing the API of an affected system, an attacker could read sensitive information from the operating system beneath the SD-WAN Manager platform.
CISA’s KEV listing uses a broader name for the flaw, describing it as an exposure of sensitive information to an unauthorized actor. The agency also says organizations should follow applicable cloud guidance or discontinue product use if mitigations cannot be applied.
There is one important difference between the agency’s warning and Cisco’s advisory. CISA says the flaw is actively exploited, while Cisco’s advisory still states that its Product Security Incident Response Team was not aware of public announcements or malicious use for CVE-2026-20133 at the time of the advisory text.
Why this Cisco SD-WAN flaw matters
SD-WAN management systems are not ordinary servers. They control policies, configuration, monitoring, and connectivity across distributed enterprise networks.
An information disclosure flaw in that layer can give attackers data that supports deeper compromise. Sensitive operating system files, internal configuration details, or secrets can help attackers plan follow-up activity.
Security researchers have also raised concerns about the practical impact of CVE-2026-20133. VulnCheck said its researchers used the flaw to extract sensitive Cisco SD-WAN material, including a vmanage-admin private key and confd_ipc_secret in a lab context, showing why defenders should not treat the issue as low risk.
Cisco SD-WAN has faced several recent exploited bugs
CVE-2026-20133 is not the only Cisco SD-WAN issue to draw attention this year. In February, Cisco disclosed several Catalyst SD-WAN Manager vulnerabilities, including CVE-2026-20127, CVE-2026-20128, CVE-2026-20122, and CVE-2026-20133.
CVE-2026-20127 is especially serious. Cisco said the authentication bypass flaw was exploited as a zero-day and could allow attackers to add rogue peers to targeted SD-WAN networks. CISA also issued Emergency Directive 26-03 to address active targeting of Cisco SD-WAN systems.
The new KEV entry shows that federal defenders still face pressure around Cisco SD-WAN exposure. Even after patches arrive, agencies and companies need to validate upgrades, check logs, and confirm that management interfaces do not remain exposed to attackers.
What organizations should do now
Organizations using Cisco Catalyst SD-WAN Manager should first confirm whether they run an affected release. Cisco’s February advisory lists fixed versions and mitigation details for the affected SD-WAN Manager vulnerabilities.
Teams should also review the system for compromise indicators, especially if the management plane was reachable from the internet. CISA’s emergency directive stresses both mitigation and hunting, not only software patching.
Recommended actions include:
- Apply Cisco’s fixed software versions for affected Catalyst SD-WAN Manager systems.
- Remove SD-WAN management interfaces from direct internet exposure.
- Restrict access to trusted administrative networks.
- Review API access logs for unusual requests.
- Hunt for unauthorized peering or configuration changes.
- Rotate exposed secrets or credentials if compromise is suspected.
- Follow CISA’s Cisco SD-WAN hardening guidance.
- Decommission affected systems if fixes or mitigations cannot be applied.
What admins should watch for
Cisco SD-WAN environments need more than patch status checks. Admins should look for suspicious management activity that may indicate an attacker already accessed the system.
Important signals include:
- Unknown administrative logins
- Unexpected API calls
- New or modified SD-WAN peers
- Configuration changes without a matching change ticket
- Strange access to sensitive files
- New accounts or privilege changes
- Unusual traffic from the management plane
- Logs that show tampering or gaps
CISA’s deadline has already passed, so unpatched systems now sit in a higher-risk category. Organizations that missed the April 24 deadline should treat remediation as an incident response task, not a routine maintenance item.
FAQ
CVE-2026-20133 is an information disclosure vulnerability in Cisco Catalyst SD-WAN Manager. Cisco says an unauthenticated remote attacker could exploit it through an affected system’s API to read sensitive information from the underlying operating system.
Yes. CISA added the flaw to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. Cisco’s advisory, however, has not publicly confirmed malicious use of CVE-2026-20133.
Cisco Catalyst SD-WAN Manager, formerly vManage, is a management platform used to monitor, configure, and manage Cisco SD-WAN deployments from a central interface.
Cisco patched CVE-2026-20133 in February 2026 as part of its Catalyst SD-WAN security advisory.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages