The Cybersecurity and Infrastructure Security Agency (CISA) on April 20 added yet another Cisco Catalyst SD-WAN Manager bug to its Known Exploited Vulnerabilities (KEV) list.CISA gave federal agencies four days to fix the exploited flaw.For its part, Cisco patched the vulnerability — CVE-2026-20133 — but has yet to confirm active exploitation.Denis Calderone, Principal/CTO at Suzu Labs, explained that CISA has threat intelligence sources that don't always align with what Cisco publicly acknowledges, and clearly CISA has seen something Cisco hasn't formally disclosed yet.Calderone also said that attackers are most certainly chaining together a series a recent flaws around Cisco’s Catalyst SD-WAN products.Looking at the timeline: Calderone said CVE-2026-20127 was the CVSS 10.0 front door, a full authentication bypass that triggered CISA Emergency Directive 26-03 back in February. Then in March came CVE-2026-20128, which lets an unauthenticated attacker pull DCA user credentials off the filesystem, and CVE-2026-20122, which lets a low-privilege attacker overwrite arbitrary files and escalate to full vManage administrator. Both confirmed exploited. Now, CVE-2026-20133 joins that group: unauthenticated API access to sensitive OS-level files.Calderone said the chain could look something like this: start with CVE-2026-20133 to enumerate sensitive files through the API, use CVE-2026-20128 to harvest DCA credentials, then use those credentials with CVE-2026-20122 to overwrite files and escalate to vManage admin and just like that, the attackers control the management plane for potentially thousands of SD-WAN devices.“CVSS scores individual bugs,” said Calderone. “It doesn't score chains. CISA gave agencies four days to patch the three SD-WAN CVEs and four weeks for [everything else in that same batch of eight CVEs added to the KEV list yesterday.] That gap is CISA telling you exactly how they're reading the threat.”Sunil Gottumukkala, chief executive officer at Averlon, said CISA will add non-critical CVEs to the KEV catalog when there’s evidence of active exploitation in the wild. The CVSS framing here is a bit misleading because it looks at the vulnerability in isolation, not the role it can play in a real attack path.“On a management platform responsible for thousands of devices, an information disclosure flaw that exposes keys and secrets can be far more consequential operationally than the score suggests,” said Gottumukkala. “That’s why the KEV addition makes sense. CISA adds vulnerabilities based on evidence of active exploitation, not on whether the CVSS score looks dramatic. In this case, the more important signal is that the flaw provides meaningful attack-chain value on a high-leverage management asset.”
Vulnerability Management, Patch/Configuration Management, Network Security, Security Operations, SOC, Government security, Application security
Another Cisco Catalyst SD-WAN Manager bug added to CISA list
(Adobe Stock)
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds