Am I affected by CVE-2026-20133?

Cisco Catalyst SD-WAN Manager (formerly vManage) running versions prior to the February 2026 security update. Three CVEs are in play: CVE-2026-20133 (unauthenticated information disclosure, just added to KEV), CVE-2026-20128 (recoverable password storage), and CVE-2026-20122 (incorrect privileged API use). All three are confirmed exploited in the wild.

How do I fix CVE-2026-20133?

Apply Cisco's February 2026 security update for Catalyst SD-WAN Manager which fixes all three CVEs. If patching is delayed beyond April 24, follow CISA's Hunt & Hardening Guidance for Cisco SD-WAN Devices - restrict API access to trusted admin IPs only and review API access logs for unusual file-system-related requests over the past 60 days. Rotate any credentials stored on the SD-WAN Manager, as CVE-2026-20128 exposes them in recoverable format.

Cisco Catalyst SD-WAN Manager flaw added to CISA KEV with 4-day federal patch deadline - actively exploited (CVE-2026-20133)

vulnerability

CVE-2026-20133 CVE-2026-20128 CVE-2026-20122

2026-04-21

Cisco Catalyst SD-WAN Manager flaw added to CISA KEV with 4-day federal patch deadline - actively exploited (CVE-2026-20133)

CISA added a Cisco Catalyst SD-WAN Manager information disclosure flaw to its Known Exploited Vulnerabilities catalog on Monday, ordering federal agencies to patch by Friday, April 24 - an unusually aggressive 4-day deadline that reflects confirmed active exploitation. CVE-2026-20133 is an unauthenticated remote flaw in the SD-WAN Manager (formerly vManage) API, caused by insufficient file system access restrictions. An attacker can access the API and read sensitive information from the underlying operating system - including credentials that enable follow-on attacks. Cisco patched it in late February alongside two other SD-WAN Manager flaws (CVE-2026-20128 and CVE-2026-20122, both also added to KEV this week and confirmed exploited in the wild). Catalyst SD-WAN Manager is used to centrally manage up to 6,000 SD-WAN devices from one dashboard, making it a high-value target. Oddly, Cisco's PSIRT still says they have no evidence of public exploitation - contradicting CISA. CISA is treating its own intelligence as authoritative and has issued Emergency Directive 26-03 plus a Hunt & Hardening Guide for Cisco SD-WAN. Over the past several years CISA has tagged 91 Cisco vulnerabilities as exploited in the wild, six used by ransomware operations.

Check: If you run Cisco Catalyst SD-WAN Manager (or the old vManage), patch today. CISA's 4-day federal deadline is the clearest signal yet that exploitation is widespread.
Affected: Cisco Catalyst SD-WAN Manager (formerly vManage) running versions prior to the February 2026 security update. Three CVEs are in play: CVE-2026-20133 (unauthenticated information disclosure, just added to KEV), CVE-2026-20128 (recoverable password storage), and CVE-2026-20122 (incorrect privileged API use). All three are confirmed exploited in the wild.
Fix: Apply Cisco's February 2026 security update for Catalyst SD-WAN Manager which fixes all three CVEs. If patching is delayed beyond April 24, follow CISA's Hunt & Hardening Guidance for Cisco SD-WAN Devices - restrict API access to trusted admin IPs only and review API access logs for unusual file-system-related requests over the past 60 days. Rotate any credentials stored on the SD-WAN Manager, as CVE-2026-20128 exposes them in recoverable format.