CISA Warns of Cisco Catalyst SD-WAN Manager Vulnerabilities Exploited in Attacks

CISA has issued an urgent cybersecurity warning after confirming active exploitation of critical vulnerabilities in Cisco Catalyst SD-WAN Manager, a widely used platform for managing enterprise network infrastructure.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three high-impact flaws to its Known Exploited Vulnerabilities (KEV) catalog, signaling that attackers are already abusing these issues in real-world attacks.

The agency has mandated immediate remediation, with federal agencies and organizations required to act by April 23, 2026.

Cisco Catalyst SD-WAN Manager (formerly vManage) plays a central role in controlling network traffic routing, configuration, and policy enforcement across distributed enterprise environments.

Because of its elevated privileges, a compromise can grant attackers deep access into corporate networks, making these vulnerabilities particularly dangerous.

Actively Exploited Vulnerabilities

CISA identified three distinct vulnerabilities affecting the platform:

• CVE-2026-20133: An information disclosure flaw that allows remote attackers to access sensitive network data without authorization.
• CVE-2026-20122: A vulnerability caused by improper file handling in privileged APIs, enabling attackers to overwrite system files and gain vManage-level privileges.
• CVE-2026-20128: A credential security issue where passwords are stored in a recoverable format, allowing local attackers with low privileges to extract credentials and escalate to DCA user access.

Individually, each flaw presents a serious risk. Combined, they create a powerful attack chain.

An attacker could begin by exploiting CVE-2026-20133 to gather intelligence, then leverage CVE-2026-20122 to manipulate system files, and finally use CVE-2026-20128 to escalate privileges and gain full administrative control.

Security experts warn that successful exploitation of these vulnerabilities could allow threat actors to reconfigure network routes, intercept traffic, or deploy malicious payloads across enterprise environments.

In effect, control over SD-WAN Manager could translate into control over the entire network fabric.

Although CISA has not confirmed whether ransomware groups are actively leveraging these flaws, the inclusion in the KEV catalog indicates a high likelihood of ongoing targeted attacks.

CISA has directed organizations to immediately follow Emergency Directive 26-03 to assess exposure and apply patches.

Security teams should also review Cisco’s official Hunt and Hardening Guidance to detect signs of compromise and secure deployments.

For cloud-hosted environments, compliance with Binding Operational Directive (BOD) 22-01 is required. This includes asset visibility, vulnerability management, and continuous monitoring.

CISA emphasized that organizations unable to apply fixes within the deadline should discontinue use of the affected product until mitigation steps are completed.

The extremely short remediation window highlights the severity of the threat. With active exploitation already underway, network defenders must prioritize patching, credential security, and system monitoring to prevent potential breaches.

Failure to act quickly could leave organizations exposed to full network compromise through a single management platform.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post CISA Warns of Cisco Catalyst SD-WAN Manager Vulnerabilities Exploited in Attacks appeared first on Cyber Security News.