CISA has added multiple Cisco Catalyst SD-WAN vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation in the wild. These flaws affect SD-WAN Manager (vManage) and highlight continued attacker focus on network control infrastructure.
The inclusion of these vulnerabilities follows earlier confirmed exploitation of Cisco SD-WAN components, reinforcing a broader trend: attackers are targeting centralized management systems to gain deep, persistent access into enterprise networks.
Threat Overview
CVE-2026-20133: Cisco SD-WAN Manager Information Disclosure
This vulnerability allows unauthenticated attackers to access sensitive system information via exposed APIs. While it does not directly provide code execution, it can be leveraged for reconnaissance and chaining with other vulnerabilities.
CVE-2026-20128: Cisco SD-WAN DCA Credential Exposure
This flaw enables attackers to retrieve credential files from the Data Collection Agent (DCA), potentially granting elevated access within the SD-WAN environment.
CVE-2026-20122: Cisco SD-WAN Manager Arbitrary File Overwrite
This vulnerability allows authenticated attackers to upload malicious files and overwrite system files, leading to privilege escalation and deeper system compromise.
These vulnerabilities follow earlier exploitation of CVE-2026-20127, an authentication bypass flaw that allowed attackers to gain administrative access to SD-WAN controllers.
Impact Assessment
The impact of these vulnerabilities is critical due to the role of SD-WAN in enterprise infrastructure.
Successful exploitation can result in:
- Full compromise of SD-WAN management plane
- Exposure of network topology, credentials, and configuration data
- Ability to manipulate traffic routing and segmentation
- Establishment of persistent, long-term access across network infrastructure
Environments with internet-exposed SD-WAN management interfaces face the highest risk.
Recommended Actions
Organizations should take immediate steps to reduce exposure:
Patch immediately
Apply all relevant Cisco security updates for SD-WAN Manager and Controller components
Prioritize internet-facing systems
Restrict management access
Ensure SD-WAN management interfaces are not exposed to the public internet
Implement VPN, IP allowlisting, or Zero Trust access controls
Hunt for signs of compromise
Review for:
- Unknown or unauthorized SD-WAN peer connections
- Suspicious account creation or privilege escalation
- Unauthorized SSH keys or root-level access
- Signs of log tampering or unusual system activity
Strengthen monitoring and visibility
Ensure centralized logging and monitoring of SD-WAN infrastructure
Track authentication activity, configuration changes, and system-level access
Stay Safe. Stay Secure
OP Innovate Research Team
