Skip to content
Tech News
← Back to articles

CISA flags new SD-WAN flaw as actively exploited in attacks

2026-04-21 | original
read original get SD-WAN Security Toolkit → more articles
Why This Matters

The active exploitation of a critical SD-WAN vulnerability highlights the urgent need for organizations to prioritize network security updates. This incident underscores the increasing sophistication of cyber threats targeting network management tools, which can have widespread implications for both government and private sector networks. Ensuring timely patching and adherence to security directives is essential to mitigate potential breaches and protect sensitive data.

Key Takeaways

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given government agencies four days to secure their systems against another Catalyst SD-WAN Manager vulnerability it flagged as actively exploited in attacks.

Catalyst SD-WAN Manager (formerly known as vManage) is a network management software that helps admins monitor and manage up to 6,000 Catalyst SD-WAN devices from a single dashboard.

Cisco patched this information disclosure vulnerability (CVE-2026-20133) in late February, saying that it allows unauthenticated remote attackers to access sensitive information on unpatched devices.

"This vulnerability is due to insufficient file system access restrictions. An attacker could exploit this vulnerability by accessing the API of an affected system," Cisco said at the time. "A successful exploit could allow the attacker to read sensitive information on the underlying operating system."

One week later, the company revealed that two other security flaws it had patched the same day (CVE-2026-20128 and CVE-2026-20122)were being exploited in the wild.

Federal agencies ordered to patch until Friday

On Monday, CISA added CVE-2026-20133 to its Known Exploited Vulnerabilities (KEV) Catalog, "based on evidence of active exploitation," and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their networks until Friday, April 24.

"Please adhere to CISA's guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlined in CISA's Emergency Directive 26-03 and CISA's Hunt & Hardening Guidance for Cisco SD-WAN Devices," CISA said. "Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available."

Cisco has yet to confirm the U.S. cybersecurity agency's report that the flaw is being exploited in attacks, with its security advisory still saying that its Product Security Incident Response Team (PSIRT) is "not aware of any public announcements or malicious use of the vulnerabilities that are described in CVE-2026-20133."

In February, Cisco also tagged a critical authentication bypass vulnerability (CVE-2026-20127) as exploited in zero-day attacks that were enabling threat actors to add malicious rogue peers to targeted networks since at least 2023.

... continue reading

Explore topics: cisa sd-wan cisco vmanage vulnerabilities
Related:
Adversaries hijacked AI security tools at 90+ organizations. The next wave has write access to the firewall
Actively exploited Apache ActiveMQ flaw impacts 6,400 servers
Serial-to-IP Devices Hide Thousands of Old and New Bugs
Serial-to-IP Devices Hide Thousands of Old & New Bugs
It’s not just one thing — it’s another thing

© 2026 GoKawiil

About | Editorial Policy | Contact