Cisco Catalyst SD-WAN Manager Critical Flaws Actively Exploited, CISA Warns
Key Takeaways Cisco Catalyst SD-WAN Manager contains three critical vulnerabilities, including information exposure, arbitrary file upload, and password storage in a recoverable format. These flaws...
Key Takeaways
- Cisco Catalyst SD-WAN Manager contains three critical vulnerabilities, including information exposure, arbitrary file upload, and password storage in a recoverable format.
- These flaws are being actively exploited in the wild, prompting urgent warnings from CISA.
- The vulnerabilities allow remote, unauthenticated attackers to gain sensitive information, upload malicious files, and escalate privileges.
- Federal agencies must remediate by April 23, 2026; all organizations using affected products should act immediately.
CISA Warns of Active Exploitation in Cisco Catalyst SD-WAN Manager Critical Flaws
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning regarding three severe vulnerabilities in Cisco Catalyst SD-WAN Manager, confirming their active exploitation. These flaws have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, mandating immediate action from federal agencies and strongly advising all organizations to prioritize remediation.
Table Of Content
All three vulnerabilities were listed in the KEV catalog on April 20, 2026, with a stringent deadline for remediation set for April 23, 2026, underscoring the immediate and severe threat these issues pose.
Deep Dive into the Vulnerabilities
Cisco Catalyst SD-WAN Manager, a cornerstone for managing enterprise SD-WAN infrastructure, is at the heart of these critical security issues. The vulnerabilities are detailed as follows:
- CVE-2026-20133 (CWE-200 – Sensitive Information Exposure): This flaw allows remote attackers to access sensitive information without needing any authentication. Its unauthenticated nature makes it particularly dangerous for systems exposed to the internet.
- CVE-2026-20122 (CWE-648 – Incorrect Use of Privileged APIs): Stemming from improper file handling within the API interface, this vulnerability enables an attacker to upload a malicious file to the local file system. A successful exploit grants the attacker “vmanage” user privileges, providing extensive control over the SD-WAN environment.
- CVE-2026-20128 (CWE-257 – Passwords Stored in Recoverable Format): An authenticated local attacker can exploit this flaw by accessing a credential file stored in an easily recoverable format. This permits privilege escalation to the “DCA” user level, even from accounts with low privileges.
Given that SD-WAN managers are central to enterprise network infrastructure, dictating routing, policies, and device configurations across distributed environments, their compromise presents a grave risk. Attackers gaining control of this platform could achieve broad lateral movement capabilities, potentially pivoting across an entire network infrastructure.
While CISA currently lists “ransomware involvement” as “unknown,” historical patterns indicate that the exploitation of SD-WAN management platforms frequently precedes large-scale network intrusions and significant data breaches.
To emphasize the gravity of the threat, CISA has released Emergency Directive 26-03, alongside specific Hunt & Hardening Guidance for Cisco SD-WAN Devices. For organizations unable to implement the necessary mitigations, CISA directs them to cease using the product, aligning with BOD 22-01 guidance for cloud services.
What You Should Do
- Apply all available security patches and updates from Cisco immediately to all affected Cisco Catalyst SD-WAN Manager instances.
- Review CISA’s Emergency Directive 26-03 for detailed instructions on assessing exposure and implementing corrective actions.
- Utilize CISA’s Hunt & Hardening Guidance specifically designed for Cisco SD-WAN Devices to detect any signs of compromise within your network.
- Strengthen security by restricting API access and conducting thorough audits of local file system permissions on systems running the SD-WAN Manager.
- Implement continuous monitoring for unusual privilege escalations, unauthorized file uploads, or any suspicious activity indicative of exploitation.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.