CISA is flagging a new SD-WAN flaw as it is increasingly being exploited in attacks

The Cybersecurity and Infrastructure Security Agency (CISA) of the US has given government agencies four days to protect their systems against some of the Catalyst SD-WAN Manager vulnerabilities that have been flagged as being exploited further in the attack.

Catalyst SD-WAN Manager (formerly vManage) is network management software that helps administrators monitor and manage up to 6,000 Catalyst SD-WAN devices from a single dashboard.

Cisco released this information disclosure vulnerability (CVE-2026-20133) in late February, saying it allows unauthorized remote attackers to access sensitive information on unpublished devices.

“This vulnerability is due to inadequate file system access restrictions. An attacker could exploit this vulnerability by accessing the affected system’s API,” Cisco said at the time. “A successful exploit could allow an attacker to read sensitive information from the underlying operating system.”

One week later, the company revealed that two other security flaws it had documented on the same day (CVE-2026-20128 and CVE-2026-20122) were being exploited in the wild.

Federal agencies have ordered repairs until Friday

On Monday, CISA added CVE-2026-20133 to its catalog known as Known Exploited Vulnerabilities (KEV), “based on evidence of active exploitation,” and ordered agencies of the Federal Civilian Executive Branch (FCEB) to secure their networks until Friday, April 24.

“Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlined in CISA’s Emergency Directive 26-03 and CISA’s Hunt & Hardening Guidance for Cisco SD-WAN Devices,” CISA said. “Adhere to the BOD 22-01 practical guide for cloud services or stop using the product if mitigation is not available.”

Cisco has yet to confirm the US Cybersecurity Agency’s report that the flaw is being used in an attack, and its security advisors have said that its Product Security Incident Response Team (PSIRT) is “not aware of any public announcements or exploits of the vulnerability described in CVE-2026-20133.”

In February, Cisco also marked a critical validation bypass vulnerability (CVE-2026-20127) as exploited in a zero-day attack that allowed threat actors to add malicious peers to target networks from at least 2023.

Most recently, in early March, the company released security updates to address two major vulnerabilities in its Secure Firewall Management Center (FMC) software that could allow attackers to gain root access to the underlying operating system and execute Java code that is not allowed with root privileges.

Over the past few years, CISA has flagged 91 Cisco vulnerabilities as being exploited in the wild, six of which have been used for various ransomware operations.