What is Cisco Catalyst SD-WAN Manager?
Cisco Catalyst SD-WAN Manager (formerly known as vManage) is the centralized network management and orchestration platform for Cisco's Software-Defined WAN (SD-WAN) solution. It provides a single dashboard for configuring, monitoring, and managing SD-WAN routers and edge devices across an organization's WAN.
CVE-2026-20133 is one of three Cisco SD-WAN Manager vulnerabilities added to CISA's KEV catalog on April 20, 2026 (alongside CVE-2026-20122 and CVE-2026-20128). All three are part of the same Cisco security advisory and have been identified as components of an active chained attack campaign against SD-WAN infrastructure — with CVE-2026-20133 serving as the initial reconnaissance step that requires no credentials at all.
Overview
CVE-2026-20133 is an unauthenticated information disclosure vulnerability in the API of Cisco Catalyst SD-WAN Manager. Due to insufficient file system access restrictions in the API layer, a remote attacker with no credentials can query the API to read sensitive information from the underlying operating system — including configuration files, credential files, and other sensitive data on the SD-WAN Manager filesystem.
While individually rated MEDIUM (CVSS 6.5), CVE-2026-20133 is the entry point for a no-credential-to-full-vManage-admin attack chain that makes the three Cisco SD-WAN CVEs collectively critical.
Affected Versions
| Status | Cisco Catalyst SD-WAN Manager Version | Fixed In |
|---|---|---|
| Vulnerable | 20.9.x prior to 20.9.8.2 | 20.9.8.2 |
| Vulnerable | 20.10–20.12.x prior to 20.12.5.3 | 20.12.5.3 or 20.12.6.1 |
| Vulnerable | 20.13–20.15.x prior to 20.15.4.2 | 20.15.4.2 |
| Vulnerable | 20.16–20.18.x prior to 20.18.2.1 | 20.18.2.1 |
There are no workarounds — upgrade is the only remediation.
Technical Details
The vulnerability exists because certain API endpoints in Cisco Catalyst SD-WAN Manager fail to enforce adequate file system access restrictions. These endpoints, intended for internal or authenticated use, can be accessed by unauthenticated remote attackers through the API interface.
A successful exploit allows the attacker to read sensitive information from the underlying operating system — which can include:
- Credential files stored on the filesystem (including the DCA credential file targeted by CVE-2026-20128)
- Configuration files containing sensitive parameters
- System and service account information useful for lateral movement
Attack characteristics:
- Authentication required: No (unauthenticated access via API)
- Attack complexity: Low
- Network-accessible: Yes
- User interaction: None
The Three-CVE Attack Chain
CVE-2026-20133 is the first step in a zero-credential-to-full-admin attack chain described by security researchers:
- CVE-2026-20133 (this CVE) — Unauthenticated attacker queries the API to read sensitive OS-level files, obtaining the location and contents of the DCA credential file
- CVE-2026-20128 — Attacker reads the DCA credential file (exposed by step 1) to obtain the DCA user password stored in recoverable format
- CVE-2026-20122 — Attacker uses DCA credentials to upload a malicious file via the API, overwriting arbitrary files and escalating to full vManage administrator
The combined chain requires zero initial credentials and results in complete control of the SD-WAN management plane — with authority over routing, configuration, and all managed SD-WAN edge devices.
As SC Magazine noted: "CVSS scores individual bugs. It doesn't score chains. CISA gave agencies four days to patch the three SD-WAN CVEs... That gap is CISA telling you exactly how they're reading the threat."
Exploitation Context
CISA added CVE-2026-20133 to the KEV catalog on April 20, 2026, based on its own evidence of active exploitation — independent of Cisco's PSIRT, which had not yet confirmed exploitation of this specific CVE. This is noteworthy: CISA has access to threat intelligence from FCEB agency sensors and other sources that may identify exploitation before vendors formally confirm it.
VulnCheck's research team had assessed in early March 2026 that CVE-2026-20133 "is a higher risk than defenders may realize, and is likely to be exploited — if exploitation isn't already ongoing under the radar." CISA's subsequent KEV listing confirmed that assessment.
The broader SD-WAN attack campaign began with exploitation of the related CVE-2026-20127 (CVSS 10.0 — full authentication bypass), which triggered CISA Emergency Directive ED 26-03 on February 25, 2026. CVE-2026-20133 and its companion CVEs represent the next phase of this sustained campaign against enterprise SD-WAN infrastructure.
All three CVEs were discovered by Arthur Vidineyev of Cisco's Advanced Security Initiatives Group (ASIG) during internal security testing.
Remediation
- Upgrade Cisco Catalyst SD-WAN Manager to the fixed version for your release train: 20.9.8.2, 20.12.5.3 (or 20.12.6.1), 20.15.4.2, or 20.18.2.1.
- Follow CISA Emergency Directive ED 26-03 in full — ED 26-03 and the Supplemental Hunt & Hardening Guidance specify required threat hunting procedures.
- Restrict API access — ensure the SD-WAN Manager API is not exposed to untrusted networks. Enforce strict network-level access controls (firewall ACLs) limiting access to authorized administrator IP addresses only.
- Review API access logs for unauthenticated requests that enumerate filesystem paths or read sensitive configuration files — indicators of CVE-2026-20133 exploitation.
- Treat all SD-WAN Manager credentials as potentially compromised — rotate administrator passwords, DCA credentials, and any secrets accessible via the management system.
- Patch all three related CVEs together (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) — they share the same fixed release versions and are being exploited as a chain.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-20133 |
| Vendor / Product | Cisco — Catalyst SD-WAN Manager |
| NVD Published | 2026-02-25 |
| NVD Last Modified | 2026-04-22 |
| CVSS 3.1 Score | 6.5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| Severity | MEDIUM |
| CWE | CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor |
| CISA KEV Added | 2026-04-20 |
| CISA KEV Deadline | 2026-04-23 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-02-25 | Cisco discloses CVE-2026-20133 alongside CVE-2026-20122 and CVE-2026-20128 in security advisory cisco-sa-sdwan-authbp-qwCX8D4v; CISA issues Emergency Directive ED 26-03 |
| 2026-03-01 | VulnCheck research team assesses CVE-2026-20133 as higher risk than its CVSS score suggests, likely to be exploited or already exploited under the radar |
| 2026-03-18 | Cisco advisory updated (v1.2); Cisco PSIRT not yet aware of public exploitation of CVE-2026-20133 specifically |
| 2026-04-20 | Added to CISA Known Exploited Vulnerabilities catalog based on evidence of active exploitation; Cisco has not independently confirmed |
| 2026-04-23 | CISA BOD 22-01 remediation deadline (3-day window) |
References
| Resource | Type |
|---|---|
| NVD — CVE-2026-20133 | Vulnerability Database |
| Cisco Security Advisory — cisco-sa-sdwan-authbp-qwCX8D4v | Vendor Advisory / Patch |
| CISA Emergency Directive ED 26-03 — Mitigate Vulnerabilities in Cisco SD-WAN Systems | US Government |
| CISA Supplemental Direction ED 26-03 — Hunt & Hardening Guidance | US Government |
| BleepingComputer — CISA Flags New SD-WAN Flaw as Actively Exploited | Press/Media Coverage |
| Help Net Security — CISA Flags CVE-2026-20133 as Exploited | Press/Media Coverage |
| SC Magazine — Cisco Catalyst SD-WAN Vulnerabilities and Attack Chaining | Press/Media Coverage |
| CISA KEV Catalog Entry | US Government |
| CISA BOD 22-01 | Remediation Directive |
| CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor | Weakness Classification |