CISA's KEV Catalog Update: Actively Exploited Cisco Catalyst SD-

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive, adding three critical vulnerabilities affecting Cisco Catalyst SD-WAN Manager to its Known Exploited Vulnerabilities (KEV) Catalog on April 20, 2026. These actively exploited flaws—CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122—collectively pose a severe threat to the integrity and confidentiality of enterprise-wide area network (WAN) infrastructures that rely on Cisco's SD-WAN solutions. Federal agencies are mandated to remediate these issues by April 23, 2026, underscoring the immediate and high-risk nature of their active exploitation in the wild. The compromise of Cisco Catalyst SD-WAN Manager, a central administrative console, grants attackers a strategic foothold, enabling control over critical network traffic routing and potentially thousands of connected SD-WAN devices.

Analysis of Actively Exploited Cisco Catalyst SD-WAN Manager Vulnerabilities

The recent CISA KEV additions highlight a dangerous attack chain targeting Cisco Catalyst SD-WAN Manager, formerly known as vManage. These vulnerabilities, when combined, can lead to sensitive information disclosure, credential compromise, and ultimately, arbitrary file overwrite with elevated privileges. Understanding each component is crucial for effective defense.

CVE-2026-20133: Exposure of Sensitive Information to an Unauthorized Actor

This vulnerability, with a CVSS score of 6.5, allows unauthenticated remote attackers to access sensitive information on affected systems. The flaw stems from insufficient file system access restrictions within the API of Cisco Catalyst SD-WAN Manager. An attacker can exploit this by directly querying the API to read underlying operating system files that should otherwise be protected.

The ability to enumerate sensitive files remotely without authentication provides a critical initial reconnaissance vector for threat actors. This could include configuration files, user lists, or other system-level data that can inform subsequent, more impactful attacks. For instance, an attacker might look for patterns in API responses or directory structures:

curl -k -X GET "https://<vmanage-ip>:8443/dataservice/client/config/files?path=/etc/shadow" -H "Content-Type: application/json" --insecure

While the exact content accessible via this vulnerability depends on the specific misconfigurations or accessible endpoints, the core issue lies in the API's failure to enforce proper authorization prior to serving file system content. This vulnerability often acts as an initial step in a multi-stage attack, providing attackers with the necessary intelligence to craft more targeted exploits for privilege escalation or lateral movement. Organizations should consider this an example of broken authentication or authorization at the API level, allowing unauthorized data access.

CVE-2026-20128: Storing Passwords in a Recoverable Format

Rated with a CVSS score of 7.5, CVE-2026-20128 enables an authenticated, local attacker with low privileges to gain DCA (Data Center Analytics) user privileges. This vulnerability is caused by the storage of credential files for DCA users in a recoverable format on the filesystem. A low-privileged user, having gained initial access (possibly through other means or social engineering), can access these files to extract sensitive credentials.

The presence of recoverable passwords on a system is a fundamental security misstep. Attackers frequently scan for such files, often located in predictable paths or within configuration directories. For example, a compromised low-privileged account could execute commands similar to:

find / -name "*dca_creds*" 2>/dev/null
cat /opt/vmanage/conf/dca_credentials.conf

Successful exploitation of CVE-2026-20128 grants attackers access to DCA user privileges, which are significant within the SD-WAN ecosystem, enabling further manipulation and control of network policies and configurations. This type of vulnerability underscores the importance of secure credential management practices and robust file system permissions, particularly on critical management infrastructure. Without proper controls, even a seemingly minor initial compromise can escalate rapidly.

CVE-2026-20122: Incorrect Use of Privileged APIs

This vulnerability carries a CVSS score of 5.4 and allows an attacker to upload and overwrite arbitrary files on the affected system, leading to the acquisition of vManage user privileges. The flaw specifically involves improper file handling on the API interface of the system. While Cisco initially indicated that exploiting this vulnerability requires valid read-only credentials with API access, the real-world impact, especially when chained with other vulnerabilities, is far more severe.

An attacker leveraging CVE-2026-20122 could exploit the API to upload malicious files or overwrite critical system binaries or configuration files. This capability is a direct path to privilege escalation. For example, an attacker could overwrite an authorized SSH key, alter a startup script, or replace a legitimate binary with a malicious payload. The consequence is gaining administrative control over the vManage instance.

Consider a scenario where an attacker, having obtained credentials via CVE-2026-20128, uses those to authenticate to the API and then exploits CVE-2026-20122. They might upload a crafted file to a sensitive location, such as:

curl -k -X PUT "https://<vmanage-ip>:8443/dataservice/client/config/files?path=/tmp/malicious_script.sh" \
-H "Content-Type: application/octet-stream" \
--data-binary @./malicious_script.sh

If the API improperly validates the file path or content, this could lead to code execution or privilege escalation to the vManage user. This level of compromise effectively hands over control of the entire SD-WAN management plane to the attacker.

Chained Exploitation: A Pathway to SD-WAN Control Plane Compromise

Cybersecurity experts emphasize that the true danger of these vulnerabilities lies in their potential for chained exploitation. While individual CVSS scores may not always reflect the full impact, the combination of these flaws creates a potent attack vector against the SD-WAN management infrastructure. Denis Calderone, Principal/CTO at Suzu Labs, outlined a plausible attack chain:

1. Initial Reconnaissance with CVE-2026-20133: An unauthenticated attacker begins by exploiting CVE-2026-20133 to enumerate sensitive files and gather information about the underlying operating system and configuration through the API. This provides crucial intelligence for subsequent steps.
2. Credential Harvesting with CVE-2026-20128: Using the insights gained, or potentially after a low-privilege initial compromise, the attacker exploits CVE-2026-20128 to harvest DCA user credentials from recoverable files on the filesystem.
3. Privilege Escalation and Control with CVE-2026-20122: With valid DCA credentials, the attacker then leverages CVE-2026-20122 to upload and overwrite arbitrary files, ultimately escalating privileges to gain full vManage administrator access.

This chain effectively bypasses security controls step-by-step, moving from unauthenticated information disclosure to full control over the SD-WAN management plane. Furthermore, earlier vulnerabilities, such as CVE-2026-20127 (a critical authentication bypass with a CVSS score of 10.0 that triggered CISA Emergency Directive 26-03 in February), could serve as an even more direct "front door" for initial access, making the subsequent exploitation of CVE-2026-20128 and CVE-2026-20122 even easier. This scenario mirrors other complex zero-day exploits where multiple weaknesses are combined for maximum impact.

Impact on Network Infrastructure and Operational Security

Compromising the Cisco Catalyst SD-WAN Manager has profound implications. The vManage platform is the central point of control for an entire SD-WAN fabric, managing policies, routing, and device configurations for potentially thousands of network devices. An attacker with vManage administrator privileges can:

• Manipulate Network Traffic: Reroute traffic, implement denial-of-service, or intercept sensitive data.
• Deploy Malicious Configurations: Push malicious policies to edge devices, creating backdoors or weakening security postures across the entire WAN.
• Access Sensitive Data: Gain access to network telemetry, user data, and other confidential information flowing through the managed network.
• Establish Persistence: Create new administrative accounts, install persistent malware, or modify system files to maintain long-term access.
• Lateral Movement: Use the compromised SD-WAN platform as a pivot point to move deeper into the corporate network, targeting other critical assets.

This level of control over the network's nervous system makes these vulnerabilities particularly attractive to advanced persistent threat (APT) groups and financially motivated cybercriminals. The tight remediation window set by CISA for federal agencies—just three days—underscores the severe and immediate risk these vulnerabilities present.

Detection and Threat Hunting

Detecting exploitation attempts or post-exploitation activity related to these Cisco Catalyst SD-WAN Manager vulnerabilities requires a robust monitoring strategy. Organizations should focus on:

• API Access Logs: Scrutinize vManage API access logs for unusual or unauthenticated requests to sensitive endpoints (e.g., file system paths, configuration APIs). Look for repeated requests from unfamiliar source IPs or attempts to access non-existent resources that might indicate reconnaissance.
• File System Integrity Monitoring: Implement file integrity monitoring (FIM) on critical system directories and configuration files within the SD-WAN Manager instance. Alerts on unauthorized modifications to system binaries, scripts, or credential files (e.g., related to DCA users) are critical.
• Authentication Logs: Monitor for suspicious authentication attempts, new user account creation, or privilege escalation events within vManage. Pay close attention to successful logins from unexpected geographical locations or IP ranges.
• Network Traffic Analysis: Analyze network traffic originating from or destined for the SD-WAN Manager for anomalies, such as unexpected outbound connections, large data transfers, or communication with known command-and-control (C2) infrastructure. Tools like Zondex can assist in identifying unusual external connections or exposed services.
• Process Monitoring: Look for unusual processes being spawned or executed on the underlying operating system of the vManage instance, especially those running with elevated privileges.

It is also crucial to integrate threat intelligence feeds, including CISA's KEV Catalog, into existing security information and event management (SIEM) systems and vulnerability management platforms. The delay between a KEV listing and an organization's internal awareness can be critical, as highlighted by some network administrators. An effective External Attack Surface Management (EASM) solution, such as Secably, can help continuously monitor for exposed SD-WAN Manager instances and proactively identify potential attack vectors before they are exploited. You can start a free EASM scan to assess your external posture.

Mitigation and Remediation Strategies

The primary mitigation for these actively exploited vulnerabilities is the immediate application of vendor-provided patches. Cisco has released software updates to address these flaws, and organizations are strongly advised to upgrade to the fixed software versions. There are no known workarounds for these specific vulnerabilities.

Key remediation steps include:

1. Patch Immediately: Prioritize patching all Cisco Catalyst SD-WAN Manager instances to the latest secure versions. This is the most effective defense against active exploitation. Given the April 23, 2026, deadline for federal agencies, all organizations should treat this as an urgent requirement.
2. Network Segmentation: Isolate the SD-WAN Manager instance from less trusted network segments. Restrict administrative access to the vManage platform to only necessary personnel and from secure, managed workstations.
3. Strong Authentication and Authorization: Enforce multi-factor authentication (MFA) for all administrative accounts. Implement the principle of least privilege for all users and services interacting with the SD-WAN Manager. Regularly review and audit user permissions.
4. API Security Best Practices: For any custom integrations or scripts interacting with the vManage API, ensure robust authentication, authorization, and input validation mechanisms are in place.
5. Regular Audits and Configuration Reviews: Conduct frequent security audits of the SD-WAN Manager configuration to identify and rectify any insecure settings or exposed services.
6. Forensic Analysis Post-Patching: Given the confirmed active exploitation, simply patching may not be sufficient. Organizations should conduct a forensic audit of their SD-WAN Manager instances, particularly reviewing authentication logs for accepted public keys from unknown IPs, to determine if their systems were compromised prior to patching. This is crucial to detect persistence mechanisms or backdoors established by attackers.
7. Emergency Directive Compliance: Adhere to CISA's guidelines, including Emergency Directive 26-03 and the accompanying Hunt & Hardening Guidance for Cisco SD-WAN Devices. If prompt mitigations are not feasible, CISA advises discontinuing the use of the affected product entirely to protect networks.

For organizations struggling with rapid vulnerability response and continuous monitoring, leveraging advanced tools and services is essential. Secably's EASM API can provide automated alerts on newly discovered vulnerabilities impacting your exposed assets, helping to shorten the time between disclosure and remediation. Integrating such capabilities into a broader security program is vital for managing the dynamic threat landscape.