Catalyst SD-WAN Manager leaks OS data, exploited (CVE-2026-20133)

Actively exploited in the wild - CVE-2026-20133 is a medium (CVSS 6.5) file read vulnerability in Cisco Catalyst SD-WAN Manager that lets unauthenticated remote attackers read arbitrary system files, potentially exposing credentials and operational secrets. Cisco has released software fixes – prioritise patching now.

Overview

A vulnerability in Cisco Catalyst SD-WAN Manager allows an unauthenticated, remote attacker to read sensitive information from the underlying operating system. Tracked as CVE-2026-20133 with a CVSS score of 6.5 (Medium), this flaw is confirmed by CISA to be actively exploited in the wild. The issue stems from insufficient file system access restrictions in the application’s API.

Vulnerability Details

The vulnerability exists because the affected software does not properly restrict access to the file system through its API. An attacker with network access to an unpatched SD-WAN Manager instance can send specially crafted requests without needing any credentials. A successful exploit allows the attacker to read arbitrary files on the system, potentially exposing sensitive configuration data, credentials, or other operational secrets.

Impact

If exploited, this vulnerability provides attackers with a significant foothold within a network’s management infrastructure. Access to sensitive operating system files can lead to further reconnaissance, credential theft, and lateral movement. Given that the SD-WAN Manager is a central control point for software-defined wide area networks, a compromise could facilitate broader attacks against the entire managed network.

Affected Products and Remediation

This vulnerability affects Cisco Catalyst SD-WAN Manager. Cisco has released software updates that address this vulnerability. There are no workarounds that mitigate this flaw.

Immediate Action Required:

• Identify all instances of Cisco Catalyst SD-WAN Manager in your environment.
• Upgrade to a fixed software release as specified in the Cisco Security Advisory.
• As this vulnerability is being actively exploited, prioritize this update.

Mitigation and Detection

While patching is the primary solution, organizations should ensure that management interfaces for critical systems like SD-WAN Manager are not exposed directly to the internet. Restrict network access to these systems to trusted administrative networks only. Monitor network logs for unusual or unauthorized API access attempts targeting the SD-WAN Manager.

Security Insight

This incident is part of a concerning trend where network management appliances are targeted for initial access, as seen with the recent Interlock ransomware exploiting a Cisco FMC zero-day. It highlights that attackers are shifting focus from end-user systems to the operational technology that manages them, seeking maximum disruption and leverage from a single compromise.

Further Reading

• Interlock Ransomware Exploits Cisco FMC Zero-Day
• CISA Warns of Zimbra, SharePoint Exploits; Cisco
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• All Medium Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs