A flaw in Cisco Catalyst SD-WAN Manager allows attackers to read sensitive information from the underlying operating system, and CISA has added it to the Known Exploited Vulnerabilities catalog under Emergency Directive 26-03.
What Is It
CVE-2026-20133 is an information-disclosure vulnerability (CWE-200) in Cisco Catalyst SD-WAN Manager caused by insufficient file system restrictions. NVD's analysis describes two exposure paths: an unauthenticated remote attacker who can view sensitive information on an affected system, and an authenticated attacker with netadmin privileges who can reach the vshell of the appliance and read sensitive data from the underlying OS. NVD scores it 7.5 (HIGH) with no privileges required; Cisco's own PSIRT score is 6.5 (MEDIUM) and assumes low privileges. Either way, confidentiality impact is HIGH; integrity and availability are unaffected.
Why It Matters
SD-WAN Manager sits at the control plane of an enterprise's wide-area network; credentials, keys, and config material extracted from it can pivot into the rest of the SD-WAN fabric. CISA added the CVE to KEV on 2026-04-20 with a same-week due date of 2026-04-23, and issued Emergency Directive 26-03 plus supplemental hunt and hardening guidance specifically for Cisco SD-WAN systems. Known ransomware use is listed as "Unknown," but the ED-level treatment signals active exploitation concern serious enough to compress remediation timelines to days, not weeks.
What's Vulnerable
Cisco Catalyst SD-WAN Manager, across multiple release trains. Per NVD CPE data, the following versions are affected:
- All versions prior to 20.9.8.2
- 20.10 through versions prior to 20.12.5.3
- 20.13 through versions prior to 20.15.4.2
- 20.16 through versions prior to 20.18.2.1
- 20.12.6 (specifically called out)
Patch Status
Cisco has published advisory cisco-sa-sdwan-authbp-qwCX8D4v with fixed releases corresponding to the version boundaries above. CISA's required action: follow Emergency Directive 26-03 and the supplemental Hunt & Hardening Guidance to assess exposure and mitigate; for cloud services apply BOD 22-01; if mitigations are unavailable, discontinue use of the product.