Cisco Catalyst SD-WAN Manager: Three CVEs Land on CISA KEV With April 28 Federal Deadline

CISA quietly added a packed batch of eight vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on April 20, 2026 — and three of them are different bugs in the same product: Cisco Catalyst SD-WAN Manager, the controller plane formerly branded vManage. Federal Civilian Executive Branch agencies have until April 28, 2026 to patch.

If you operate Cisco SD-WAN, the implication is straightforward: the management plane that pushes config to every branch in your overlay is now a confirmed live target.

What was added

CISA’s April 20 update covers three SD-WAN Manager CVEs that all trace back to the same Cisco advisory (cisco-sa-sdwan-authbp-qwCX8D4v), originally published in late February:

• CVE-2026-20122 (CVSS 5.4) — Arbitrary file overwrite in the vManage REST API. A remote attacker with valid read-only API credentials can drop or overwrite arbitrary files in the appliance filesystem and pivot to vmanage user privileges. The classification of “incorrect use of privileged APIs” is generous; in practice it’s a path-handling bug that escapes the intended sandbox.
• CVE-2026-20128 — Storing passwords in a recoverable format inside the Data Collection Agent (DCA). A locally authenticated low-privilege user can read DCA credential files off disk and use them to authenticate as the DCA user, which is enough to grab telemetry data and laterally hop to other SD-WAN Manager nodes that share that account.
• CVE-2026-20133 (CVSS 7.5) — Unauthenticated information disclosure via the API. Insufficient file system access restrictions let a remote, unauthenticated caller read sensitive files on the underlying OS through crafted API requests. This is the only one of the three that needs no credentials to start; in chained operations, it’s the obvious first hop.

Cisco’s PSIRT has confirmed in-the-wild exploitation of CVE-2026-20122 and CVE-2026-20128 since March 5. CVE-2026-20133 had no public exploitation as of Cisco’s last advisory revision, but VulnCheck and other researchers flagged it as the highest practical risk of the three because it’s pre-auth, and CISA’s KEV add now suggests they’ve seen exploitation activity that warranted formal listing.

The chain that makes this dangerous

Read in isolation, none of these are CVSS 10 fireworks. Read as a kit, they’re a textbook chain against a network management plane:

1. Hit CVE-2026-20133 unauthenticated to read configuration files, credentials, or tokens off disk.
2. Use harvested credentials (or the read-only API tokens that often leak in those reads) to authenticate against the API.
3. Trigger CVE-2026-20122 to overwrite a privileged file — Cisco’s advisory wording around vmanage user privileges suggests the classic write-to-cron, write-to-systemd-unit, or write-to-an-already-trusted-script pattern.
4. Once you’ve reached vManage privileges, you control the SD-WAN overlay’s policy, routing, and certificate plane. From there you push config, modify ACLs, or stage a quieter persistence mechanism.

CVE-2026-20128 is the lateral movement primitive in that picture: any DCA credentials reused across a multi-node SD-WAN Manager cluster mean breaking one box buys you the rest.

Affected and fixed releases

Cisco’s fixed builds for the original advisory are:

• 20.9.8.2
• 20.12.5.3
• 20.15.4.2
• 20.18.2.1

Releases 20.18 and later are not affected by CVE-2026-20128 (the DCA credential-storage flaw was refactored away). Everything else in the advisory still requires an update. There are no workarounds — Cisco was explicit about that for CVE-2026-20133 in particular.

What to do right now

For anyone running Catalyst SD-WAN Manager:

• Patch. The fixed releases have been out since February 25 — if you held off because the original disclosure had no exploitation note, that condition no longer holds.
• Audit API credentials. Revoke and rotate any DCA accounts and any read-only API tokens issued before the patch. Assume harvested credentials are in the wild.
• Pull vmanage and DCA user logs back to the moment of patch deployment. Look for unexpected file writes under privileged paths, new cron entries, modified systemd units, and out-of-band API reads of /etc/, /opt/cisco/, or anything under the DCA data directory.
• Network-segment the management plane. SD-WAN Manager should not be reachable from the data-plane VPNs it manages, period. CISA’s deadline is the floor; defense in depth here means the API surface is reachable only from a tightly scoped admin network.

Federal agencies have until April 28. For everyone else: the exploitation is real, the chain is plausible, the fixes have been available for nearly two months. There’s no good reason to be the case study in next month’s threat report.

References

• Cisco Security Advisory cisco-sa-sdwan-authbp-qwCX8D4v
• CISA KEV catalog update, April 20, 2026
• VulnCheck, “Herding Cats: Recent Cisco SD-WAN Manager Vulnerabilities”
• Cisco PSIRT exploitation update, March 5, 2026