The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given government agencies four days to secure their systems against another Catalyst SD-WAN Manager vulnerability it flagged as actively exploited in attacks.
Catalyst SD-WAN Manager (formerly known as vManage) is a network management software that helps admins monitor and manage up to 6,000 Catalyst SD-WAN devices from a single dashboard.
Cisco patched this information disclosure vulnerability (CVE-2026-20133) in late February, saying that it allows unauthenticated remote attackers to access sensitive information on unpatched devices.
“This vulnerability is due to insufficient file system access restrictions. An attacker could exploit this vulnerability by accessing the API of an affected system,” Cisco said at the time. “A successful exploit could allow the attacker to read sensitive information on the underlying operating system.”
One week later, the company revealed that two other security flaws it had patched the same day (CVE-2026-20128 and CVE-2026-20122)were being exploited in the wild.
Federal agencies ordered to patch until Friday
On Monday, CISA added CVE-2026-20133 to its Known Exploited Vulnerabilities (KEV) Catalog, “based on evidence of active exploitation,” and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their networks until Friday, April 24.
“Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlined in CISA’s Emergency Directive 26-03 and CISA’s Hunt & Hardening Guidance for Cisco SD-WAN Devices,” CISA said. “Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.”
Cisco has yet to confirm the U.S. cybersecurity agency’s report that the flaw is being exploited in attacks, with its security advisory still saying that its Product Security Incident Response Team (PSIRT) is “not aware of any public announcements or malicious use of the vulnerabilities that are described in CVE-2026-20133.”
In February, Cisco also tagged a critical authentication bypass vulnerability (CVE-2026-20127) as exploited in zero-day attacks that were enabling threat actors to add malicious rogue peers to targeted networks since at least 2023.
More recently, in early March, the company released security updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software that can allow attackers to gain root access to the underlying operating system and execute arbitrary Java code with root privileges.
Over the last several years, CISA has tagged 91 Cisco vulnerabilities as exploited in the wild, six of which have been used by various ransomware operations.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
