Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
CISA Audits Government Code Repositories With Anthropic’s Mythos AI Tool
July 7, 2026
Microsoft Windows Secures AI Agent Workflows with Execution Containers
July 7, 2026
Critical PHP PDO Driver Bugs Expose Firebird SQL Injection, PostgreSQL DoS
July 7, 2026
Home/CyberSecurity News/Cisco Catalyst SD-WAN Manager Critical Flaws Actively Exploited, CISA Warns
CyberSecurity News

Cisco Catalyst SD-WAN Manager Critical Flaws Actively Exploited, CISA Warns

Key Takeaways Cisco Catalyst SD-WAN Manager contains three critical vulnerabilities, including information exposure, arbitrary file upload, and password storage in a recoverable format. These flaws...

David kimber
David kimber
April 21, 2026 3 Min Read
26 0

Key Takeaways

  • Cisco Catalyst SD-WAN Manager contains three critical vulnerabilities, including information exposure, arbitrary file upload, and password storage in a recoverable format.
  • These flaws are being actively exploited in the wild, prompting urgent warnings from CISA.
  • The vulnerabilities allow remote, unauthenticated attackers to gain sensitive information, upload malicious files, and escalate privileges.
  • Federal agencies must remediate by April 23, 2026; all organizations using affected products should act immediately.

CISA Warns of Active Exploitation in Cisco Catalyst SD-WAN Manager Critical Flaws

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning regarding three severe vulnerabilities in Cisco Catalyst SD-WAN Manager, confirming their active exploitation. These flaws have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, mandating immediate action from federal agencies and strongly advising all organizations to prioritize remediation.

Table Of Content

  • Key Takeaways
  • CISA Warns of Active Exploitation in Cisco Catalyst SD-WAN Manager Critical Flaws
  • Deep Dive into the Vulnerabilities
  • What You Should Do

All three vulnerabilities were listed in the KEV catalog on April 20, 2026, with a stringent deadline for remediation set for April 23, 2026, underscoring the immediate and severe threat these issues pose.

Deep Dive into the Vulnerabilities

Cisco Catalyst SD-WAN Manager, a cornerstone for managing enterprise SD-WAN infrastructure, is at the heart of these critical security issues. The vulnerabilities are detailed as follows:

  • CVE-2026-20133 (CWE-200 – Sensitive Information Exposure): This flaw allows remote attackers to access sensitive information without needing any authentication. Its unauthenticated nature makes it particularly dangerous for systems exposed to the internet.
  • CVE-2026-20122 (CWE-648 – Incorrect Use of Privileged APIs): Stemming from improper file handling within the API interface, this vulnerability enables an attacker to upload a malicious file to the local file system. A successful exploit grants the attacker “vmanage” user privileges, providing extensive control over the SD-WAN environment.
  • CVE-2026-20128 (CWE-257 – Passwords Stored in Recoverable Format): An authenticated local attacker can exploit this flaw by accessing a credential file stored in an easily recoverable format. This permits privilege escalation to the “DCA” user level, even from accounts with low privileges.

Given that SD-WAN managers are central to enterprise network infrastructure, dictating routing, policies, and device configurations across distributed environments, their compromise presents a grave risk. Attackers gaining control of this platform could achieve broad lateral movement capabilities, potentially pivoting across an entire network infrastructure.

While CISA currently lists “ransomware involvement” as “unknown,” historical patterns indicate that the exploitation of SD-WAN management platforms frequently precedes large-scale network intrusions and significant data breaches.

To emphasize the gravity of the threat, CISA has released Emergency Directive 26-03, alongside specific Hunt & Hardening Guidance for Cisco SD-WAN Devices. For organizations unable to implement the necessary mitigations, CISA directs them to cease using the product, aligning with BOD 22-01 guidance for cloud services.

What You Should Do

  • Apply all available security patches and updates from Cisco immediately to all affected Cisco Catalyst SD-WAN Manager instances.
  • Review CISA’s Emergency Directive 26-03 for detailed instructions on assessing exposure and implementing corrective actions.
  • Utilize CISA’s Hunt & Hardening Guidance specifically designed for Cisco SD-WAN Devices to detect any signs of compromise within your network.
  • Strengthen security by restricting API access and conducting thorough audits of local file system permissions on systems running the SD-WAN Manager.
  • Implement continuous monitoring for unusual privilege escalations, unauthorized file uploads, or any suspicious activity indicative of exploitation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchransomwareSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical Apache ActiveMQ Vulnerability CVE-2023-46604 Exposes 6,000+ Servers

Next Post

GitHub Phishing Campaign Abuses OAuth Apps via Issue Notifications

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical OpenAI Codex macOS App Bug Lets Attackers Inject Indirect Prompts
July 7, 2026
Microsoft Teams Vulnerability Lets Attackers Install RMM Tools and EtherRAT
July 7, 2026
Cavern Manticore Exploits SysAid RMM and WinDirStat DLL Sideloading for C2 Deployment
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us