CVE-2026-20133 - [KEV] - CVSS 6.5

Overview

CVE-2026-20133 is an information disclosure vulnerability in Cisco Catalyst SD-WAN Manager (formerly vManage), the centralized management plane for Cisco's SD-WAN fabric. The flaw is categorized as exposure of sensitive information to an unauthorized actor, enabling remote attackers to retrieve data they should not have access to on affected systems. The vulnerability carries a CVSS score of 6.5 (Medium) and an EPSS score of 0.013, but it has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 2026-04-20, indicating confirmed active exploitation in the wild despite the modest base metrics.

SD-WAN Manager instances are high-value targets because they hold credentials, device inventories, network topology data, certificate material, and policy configurations for entire SD-WAN deployments. Even partial information disclosure from these systems can enable downstream attacks against managed edge devices and the broader enterprise network.

Affected Products

• Cisco Catalyst SD-WAN Manager (all variants referenced in the advisory, including legacy vManage branding)

Administrators should consult Cisco's security advisory for the specific fixed-release matrix and confirm the running version of every Manager node in clustered deployments.

Exploitation Evidence

• CISA KEV listing: Added 2026-04-20, confirming observed in-the-wild exploitation.
• Exploitation maturity: Active exploitation confirmed.
• EPSS: 0.013 — note that EPSS reflects probabilistic forecasting and lags behind confirmed KEV inclusion; the KEV signal supersedes it for prioritization.

No public technical write-ups or proof-of-concept references are provided in the available evidence; defenders should treat exploitation tradecraft as undisclosed but operationally proven.

ATT&CK Mapping

No formal ATT&CK mappings are present in the database. Based on the vulnerability class and target, the most plausible adversary techniques are:

• T1190 – Exploit Public-Facing Application: SD-WAN Manager interfaces exposed to management networks or the internet are the likely access vector.
• T1592 / T1590 – Gather Victim Host/Network Information: Consistent with the disclosure-of-sensitive-information primitive.
• T1552 – Unsecured Credentials: Possible if disclosed material includes credentials, tokens, or configuration secrets stored by the Manager.

These mappings are inferential and should be validated against vendor-supplied indicators when available.

Threat Actor Context

No attributed threat actor or campaign is recorded in the database for this CVE. Historically, Cisco SD-WAN and edge-management products have drawn interest from both state-aligned intrusion sets focused on network device persistence and financially motivated actors targeting managed service providers. The KEV designation suggests that at least one operational actor is leveraging this flaw, but specific attribution is unavailable at this time.

Recommended Actions

• Patch immediately: Apply the fixed release identified in Cisco's advisory for CVE-2026-20133. Federal civilian agencies must remediate per BOD 22-01 timelines; private-sector organizations should treat this as an equivalent priority given KEV status.
• Restrict management plane exposure: Ensure SD-WAN Manager web and API interfaces are not reachable from the public internet. Place them behind dedicated management VPNs, jump hosts, or zero-trust access gateways with strict allowlisting.
• Review access logs: Inspect Manager access logs, audit logs, and API call records for anomalous read operations, unexpected source IPs, and unauthenticated or low-privilege accounts retrieving configuration or inventory data.
• Rotate exposed secrets: If compromise cannot be ruled out, rotate administrative credentials, API tokens, SNMP community strings, certificates, and any device-onboarding tokens managed by the affected node.
• Hunt for follow-on activity: Look for unauthorized configuration pushes to edge devices, new policy objects, modified templates, or unexpected device-onboarding events that may indicate adversary leveraging of disclosed data.
• Enforce MFA and least privilege: Validate that all administrative accounts on SD-WAN Manager require MFA and that read-only roles are not over-privileged.
• Monitor Cisco PSIRT updates: Track the advisory for any expansion of affected versions, new IoCs, or detection guidance.