The CISA has added eight vulnerabilities to its KEV catalog, including CVE-2026-20133, another flaw affecting Cisco Catalyst SD-WAN Manager that Federal agencies have been given four days to secure their systems against.
CVE-2026-20133 is an information disclosure vulnerability caused by insufficient file system access restrictions, which can allow an unauthenticated remote attacker to access sensitive information on affected systems through the API.
The KEV addition follows prior exploitation disclosures involving other Cisco SD-WAN vulnerabilities, including CVE-2026-20127, CVE-2026-20122, and CVE-2026-20128, which prompted earlier emergency directives and patching actions. CISA said the latest KEV update reflects continued active targeting of internet-exposed network infrastructure.
John Carberry, Solution Sleuth, Xcape, Inc. had this to say:
“Cisco SD-WAN flaws, including the addition of CVE-2026-20133 and two other vulnerabilities to the KEV catalog, signal a critical escalation targeting software-defined perimeters. The main threat is not single bugs, but the rapid weaponization of vulnerability chains, using unauthenticated API access to enable severe file-overwrite and credential-extraction attacks.
“CISA’s unusually short 4-day deadline confirms pervasive, automated exploitation linked to a Five Eyes-identified global campaign. These flaws stem from systemic API-level access control failures. Organizations must go beyond patching to implement the hardening steps in Emergency Directive 26-03: isolate management interfaces and immediately hunt for “rogue peering” or unauthorized root logins that occurred before the patch.
- What is the real risk here? The risk is vulnerability chaining. CVE-2026-20133 (information disclosure) allows an unauthenticated attacker to scrape the API for system details, configurations, and internal IPs. This data is then used to weaponize more critical bugs, such as the file overwrite in CVE-2026-20122, essentially giving the attacker a ‘key’ to take control of the system.
- Are we talking about a full-scale attack here? Sophisticated actors, confirmed by CISA and Five Eyes, have targeted SD-WAN management systems globally since at least 2023. This is a critical threat; owning the SD-WAN Manager grants them long-term persistence and control over all network traffic routing.
- The “4-day deadline” is the most telling part. CISA’s four-day deadline (April 23, 2026), a significant cut from the usual 14–21 days for KEV items, indicates automated, large-scale exploitation is happening now. Patching without prior collection of forensic logs (admin-tech files) risks merely “painting over the mold” on an already backdoored system.
“Asking for a 4-day turnaround on a core networking product is Cisco’s subtle way of admitting they’ve left the screen door open during a hurricane.”
Sunil Gottumukkala, CEO, Averlon follows with this:
“CISA’s KEV addition is a strong reminder that defenders should not treat CVE-2026-20133 as a routine information disclosure. In an SD-WAN manager, ‘sensitive information’ can include credentials and secrets that materially change the security of the entire environment. Public research shows this flaw can expose the vmanage-admin private key, compromise NETCONF used to manage SD-WAN devices, and leak confd_ipc_secret to enable root escalation.
“When the vulnerable system is the management plane for distributed network infrastructure, the real-world impact is much larger than what its CVSS rating implies.”
Denis Calderone, CTO, Suzu Labs adds this:
“Since late February, Cisco Catalyst SD-WAN Manager has been the target of a sustained, escalating campaign. CVE-2026-20127 was the CVSS 10.0 authentication bypass that triggered CISA Emergency Directive 26-03 and forced emergency federal patching. That was wave one. Wave two came in March: CVE-2026-20128, which exposes DCA user credentials, and CVE-2026-20122, which allows an attacker with low-level access to overwrite arbitrary files and escalate to full vManage administration. Both confirmed as actively exploited. Now CVE-2026-20133 is joining the KEV, giving an unauthenticated remote attacker access to sensitive files on the underlying OS through the API. Cisco hasn’t confirmed exploitation of this one. CISA clearly disagrees.
“There’s also a scoring discrepancy here reviewing. Cisco’s PSIRT submitted this CVE to NVD as 6.5 MEDIUM, with low privileges required. NVD did their own independent analysis and scored it 7.5 HIGH, with no privileges required – matching Cisco’s own advisory, which also says 7.5 and no privileges required. So Cisco’s advisory and Cisco’s NVD submission tell different stories about the same vulnerability. NVD caught it. It is suggested, that since NIST announced they’re pulling back from independent CVE enrichment that this kind of vendor self-scoring inconsistency is exactly the gap that independent enrichment was closing. CVE-2026-20133 is that exact situation playing out in real time.
“A defender running CVSS-based prioritization sees 6.5 MEDIUM and this sits in a longer queue. Meanwhile, exploitation is, according to CISA, already happening.
“And CVSS still doesn’t score for chainability. CVE-2026-20133 is information disclosure. Add CVE-2026-20128 to harvest DCA credentials and CVE-2026-20122 to escalate those credentials to vManage admin, and you have full administrative control of a management platform capable of pushing configuration changes to thousands of SD-WAN devices simultaneously. The individual scores don’t capture that math. KEV does, because KEV reflects what’s actually happening in attacks, not what a scoring rubric says about a vulnerability in isolation.
“If Catalyst SD-WAN Manager is in your environment, patch all three of these. Not because any single CVE is a ten. Because together they are.”
So once again, it’s time to patch all the things in order to keep your organization safe. Given the tight timeline, this should be considered to be a today problem.
Like this:
Like Loading...
Related
This entry was posted on April 21, 2026 at 3:24 pm and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
The CISA adds eight Cisco SD-WAN flaws to KEV and gives organizations four days to fix them
The CISA has added eight vulnerabilities to its KEV catalog, including CVE-2026-20133, another flaw affecting Cisco Catalyst SD-WAN Manager that Federal agencies have been given four days to secure their systems against.
CVE-2026-20133 is an information disclosure vulnerability caused by insufficient file system access restrictions, which can allow an unauthenticated remote attacker to access sensitive information on affected systems through the API.
The KEV addition follows prior exploitation disclosures involving other Cisco SD-WAN vulnerabilities, including CVE-2026-20127, CVE-2026-20122, and CVE-2026-20128, which prompted earlier emergency directives and patching actions. CISA said the latest KEV update reflects continued active targeting of internet-exposed network infrastructure.
John Carberry, Solution Sleuth, Xcape, Inc. had this to say:
“Cisco SD-WAN flaws, including the addition of CVE-2026-20133 and two other vulnerabilities to the KEV catalog, signal a critical escalation targeting software-defined perimeters. The main threat is not single bugs, but the rapid weaponization of vulnerability chains, using unauthenticated API access to enable severe file-overwrite and credential-extraction attacks.
“CISA’s unusually short 4-day deadline confirms pervasive, automated exploitation linked to a Five Eyes-identified global campaign. These flaws stem from systemic API-level access control failures. Organizations must go beyond patching to implement the hardening steps in Emergency Directive 26-03: isolate management interfaces and immediately hunt for “rogue peering” or unauthorized root logins that occurred before the patch.
“Asking for a 4-day turnaround on a core networking product is Cisco’s subtle way of admitting they’ve left the screen door open during a hurricane.”
Sunil Gottumukkala, CEO, Averlon follows with this:
“CISA’s KEV addition is a strong reminder that defenders should not treat CVE-2026-20133 as a routine information disclosure. In an SD-WAN manager, ‘sensitive information’ can include credentials and secrets that materially change the security of the entire environment. Public research shows this flaw can expose the vmanage-admin private key, compromise NETCONF used to manage SD-WAN devices, and leak confd_ipc_secret to enable root escalation.
“When the vulnerable system is the management plane for distributed network infrastructure, the real-world impact is much larger than what its CVSS rating implies.”
Denis Calderone, CTO, Suzu Labs adds this:
“Since late February, Cisco Catalyst SD-WAN Manager has been the target of a sustained, escalating campaign. CVE-2026-20127 was the CVSS 10.0 authentication bypass that triggered CISA Emergency Directive 26-03 and forced emergency federal patching. That was wave one. Wave two came in March: CVE-2026-20128, which exposes DCA user credentials, and CVE-2026-20122, which allows an attacker with low-level access to overwrite arbitrary files and escalate to full vManage administration. Both confirmed as actively exploited. Now CVE-2026-20133 is joining the KEV, giving an unauthenticated remote attacker access to sensitive files on the underlying OS through the API. Cisco hasn’t confirmed exploitation of this one. CISA clearly disagrees.
“There’s also a scoring discrepancy here reviewing. Cisco’s PSIRT submitted this CVE to NVD as 6.5 MEDIUM, with low privileges required. NVD did their own independent analysis and scored it 7.5 HIGH, with no privileges required – matching Cisco’s own advisory, which also says 7.5 and no privileges required. So Cisco’s advisory and Cisco’s NVD submission tell different stories about the same vulnerability. NVD caught it. It is suggested, that since NIST announced they’re pulling back from independent CVE enrichment that this kind of vendor self-scoring inconsistency is exactly the gap that independent enrichment was closing. CVE-2026-20133 is that exact situation playing out in real time.
“A defender running CVSS-based prioritization sees 6.5 MEDIUM and this sits in a longer queue. Meanwhile, exploitation is, according to CISA, already happening.
“And CVSS still doesn’t score for chainability. CVE-2026-20133 is information disclosure. Add CVE-2026-20128 to harvest DCA credentials and CVE-2026-20122 to escalate those credentials to vManage admin, and you have full administrative control of a management platform capable of pushing configuration changes to thousands of SD-WAN devices simultaneously. The individual scores don’t capture that math. KEV does, because KEV reflects what’s actually happening in attacks, not what a scoring rubric says about a vulnerability in isolation.
“If Catalyst SD-WAN Manager is in your environment, patch all three of these. Not because any single CVE is a ten. Because together they are.”
So once again, it’s time to patch all the things in order to keep your organization safe. Given the tight timeline, this should be considered to be a today problem.
Share this:
Like this:
Related
This entry was posted on April 21, 2026 at 3:24 pm and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.