Full Report
CISA has given U.S. government agencies four days to secure their systems against another Catalyst SD-WAN Manager vulnerability it flagged as actively exploited in attacks. [...]
Analysis Summary
# Vulnerability: Cisco Catalyst SD-WAN Manager Information Disclosure
## CVE Details
- **CVE ID:** CVE-2026-20133
- **CVSS Score:** Not explicitly listed in text (Typically associated with High severity for unauthenticated info disclosure)
- **CWE:** CWE-284 (Improper Access Control / Insufficient file system access restrictions)
## Affected Systems
- **Products:** Cisco Catalyst SD-WAN Manager (formerly vManage)
- **Versions:** Systems running software versions prior to the patches released in late February 2026.
- **Configurations:** Systems with the API exposed to unauthenticated users.
## Vulnerability Description
CVE-2026-20133 is an information disclosure vulnerability resulting from insufficient file system access restrictions. An unauthenticated remote attacker can exploit this flaw by sending specifically crafted requests to the API of an affected SD-WAN Manager instance.
Successful exploitation allows the attacker to bypass access controls and read sensitive files on the underlying operating system.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by CISA; Cisco PSIRT status pending update).
- **Complexity:** Low (Targeting the API).
- **Attack Vector:** Network (Remote, unauthenticated).
## Impact
- **Confidentiality:** High (Access to sensitive OS files and system data).
- **Integrity:** None reported (Directly via this CVE, though disclosed info may facilitate further attacks).
- **Availability:** None reported.
## Remediation
### Patches
Cisco released security updates in late February 2026. Users should upgrade to:
- Catalyst SD-WAN Manager versions released post-February 2026 that incorporate fixes for this identifier.
- Consult the Cisco Security Advisory for specific version migration paths.
### Workarounds
- There are no specific workarounds that eliminate the vulnerability other than patching.
- **Immediate Action:** Limit API access to trusted internal IP addresses and implement strict firewall rules/ACLs to prevent exposure to the public internet.
## Detection
- **Indicators of Compromise:** Review API logs for unusual requests or unauthorized access attempts to system-level endpoints.
- **Detection methods and tools:**
- Utilize CISA’s "Hunt & Hardening Guidance for Cisco SD-WAN Devices."
- Refer to Cisco’s Emergency Directive 26-03 for scanning and assessment instructions.
## References
- Cisco Security Advisory: hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
- CISA KEV Catalog: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- CISA Emergency Directive 26-03: hxxps[://]www[.]cisa[.]gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems