Vulnerability Management , Patch/Configuration Management , Network Security , Security Operations , SOC Another Cisco Catalyst SD-WAN Manager bug added to CISA list April 21, 2026 Share By Steve Zurier (Adobe Stock) The Cybersecurity and Infrastructure Security Agency (CISA) on April 20 added yet another Cisco Catalyst SD-WAN Manager bug to its Known Exploited Vulnerabilities (KEV) list. CISA gave federal agencies four days to fix the exploited flaw. For its part, Cisco patched the vulnerability — CVE-2026-20133 — but has yet to confirm active exploitation. Denis Calderone, Principal/CTO at Suzu Labs, explained that CISA has threat intelligence sources that don't always align with what Cisco publicly acknowledges, and clearly CISA has seen something Cisco hasn't formally disclosed yet. Calderone also said that attackers are most certainly chaining together a series a recent flaws around Cisco’s Catalyst SD-WAN products. Looking at the timeline: Calderone said CVE-2026-20127 was the CVSS 10.0 front door, a full authentication bypass that triggered CISA Emergency Directive 26-03 back in February. Then in March came CVE-2026-20128 , which lets an unauthenticated attacker pull DCA user credentials off the filesystem, and CVE-2026-20122, which lets a low-privilege attacker overwrite arbitrary files and escalate to full vManage administrator. Both confirmed exploited. Now, CVE-2026-20133 joins that group: unauthenticated API access to sensitive OS-level files. Calderone said the chain could look something like this: start with CVE-2026-20133 to enumerate sensitive files through the API, use CVE-2026-20128 to harvest DCA credentials, then use those credentials with CVE-2026-20122 to overwrite files and escalate to vManage admin and just like that, the attackers control the management plane for potentially thousands of SD-WAN devices. “CVSS scores individual bugs,” said Calderone. “It doesn't score chains. CISA gave agencies four days to patch the three SD-WAN CVEs and four weeks for [everything else in that same batch of eight CVEs added to the KEV list yesterday.] That gap is CISA telling you exactly how they're reading the threat.” Sunil Gottumukkala, chief executive officer at Averlon, said CISA will add non-critical CVEs to the KEV catalog when there’s evidence of active exploitation in the wild. The CVSS framing here is a bit misleading because it looks at the vulnerability in isolation, not the role it can play in a real attack path. “On a management platform responsible for thousands of devices, an information disclosure flaw that exposes keys and secrets can be far more consequential operationally than the score suggests,” said Gottumukkala. “That’s why the KEV addition makes sense. CISA adds vulnerabilities based on evidence of active exploitation, not on whether the CVSS score looks dramatic. In this case, the more important signal is that the flaw provides meaningful attack-chain value on a high-leverage management asset.” An In-Depth Guide to Network Security Get essential knowledge and practical strategies to fortify your network security. Learn More Steve Zurier Related Data Security Lovable AI coding platform faces scrutiny over data exposure SC Staff April 21, 2026 A security researcher, operating under the handle @weezerOSINT, reported that a simple free account on Lovable provided access to other users' source code and database credentials. Network Security GreyNoise finds attacker activity surges before vulnerability disclosures Laura French April 21, 2026 The median lead time between activity surge and advisory publication was 11 days. Vulnerability Management Attempted exploitation of vulnerability impacting EoL TP-Link routers discovered SC Staff April 20, 2026 Palo Alto Networks Unit 42 researchers have identified widespread attempts to exploit CVE-2023-33538, a vulnerability in several end-of-life TP-Link router models, reports Cybersecurity Dive. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms ACK Piggybacking Blue Team Border Gateway Protocol (BGP) Broadcast Broadcast Address Buffer Overflow Demilitarized Zone (DMZ) Disaster Recovery Plan (DRP) Domain Dynamic Routing Protocol You can skip this ad in 5 seconds