Information-Disclosure

vulnerabilities 2026-04-21 High
Cisco Catalyst SD-WAN Manager: Three CVEs Land on CISA KEV With April 28 Federal Deadline
CISA added CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 in Cisco Catalyst SD-WAN Manager (vManage) to the KEV catalog on April 20, 2026. Two of the three were confirmed exploited in the wild by Cisco PSIRT in March; together they let an attacker move from low-privilege API access to full vManage takeover.
cisco sd-wan vmanage cisa-kev network-security privilege-escalation information-disclosure patch-tuesday

Cisco Catalyst SD-WAN Manager: Three CVEs Land on CISA KEV With April 28 Federal Deadline