Critical Cisco SD-WAN Manager Vulnerabilities Exploited in Active Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has recently added three critical vulnerabilities in Cisco Catalyst SD-WAN Manager to its Known Exploited Vulnerabilities (KEV) catalog. This action underscores the immediate threat these flaws pose to enterprise networks and the necessity for swift remediation.
Overview of the Vulnerabilities
Cisco Catalyst SD-WAN Manager is a pivotal platform for managing enterprise Software-Defined Wide Area Network (SD-WAN) infrastructures. The identified vulnerabilities are:
1. CVE-2026-20133 (Sensitive Information Exposure): This flaw allows remote, unauthenticated attackers to access sensitive information on affected systems without requiring login credentials.
2. CVE-2026-20122 (Incorrect Use of Privileged APIs): Due to improper file handling on the API interface, attackers can upload malicious files to the local file system, gaining ‘vmanage’ user privileges and extensive control over the SD-WAN environment.
3. CVE-2026-20128 (Passwords Stored in Recoverable Format): An authenticated local attacker can exploit this vulnerability by accessing credential files stored in a recoverable format, leading to privilege escalation to the DCA user level, even from a low-privileged account.
Implications of Exploitation
SD-WAN managers are central to enterprise network infrastructures, overseeing routing, policies, and device configurations across various locations. Compromising this platform can grant attackers extensive lateral movement capabilities, enabling them to traverse the entire network. While the involvement of ransomware in these exploits is currently unknown, the history of SD-WAN management platform compromises often precedes large-scale network intrusions.
CISA’s Response and Recommendations
In response to these vulnerabilities, CISA has issued Emergency Directive 26-03, accompanied by dedicated Hunt & Hardening Guidance for Cisco SD-WAN Devices. This directive emphasizes the severity of the threat and provides specific steps for exposure assessment and mitigation.
Recommended Actions:
– Immediate Patching: Apply all available patches and security updates from Cisco without delay.
– Exposure Assessment: Review CISA’s Emergency Directive 26-03 for detailed steps to assess exposure.
– Detection and Hardening: Follow CISA’s Hunt & Hardening Guidance to detect signs of compromise and strengthen defenses.
– Access Restriction: Limit API access and audit local file system permissions on affected systems.
– Monitoring: Keep an eye out for unusual privilege escalation or unauthorized file uploads.
With the remediation deadline set for April 23, 2026, Federal Civilian Executive Branch (FCEB) agencies must act promptly. Private sector organizations managing Cisco SD-WAN deployments should also treat this advisory with equal urgency, as active exploitation in the wild makes these vulnerabilities an immediate risk to network integrity.
