File System Access Vulnerability in Cisco Catalyst SD-WAN Manager
CVE-2026-20133
Key Information:
- Vendor
Cisco
- Vendor
- CVE Published:
- 25 February 2026
Badges
What is CVE-2026-20133?
CVE-2026-20133 is a critical vulnerability impacting Cisco's Catalyst SD-WAN Manager, a software solution designed to manage and optimize wide-area networks (WANs). The vulnerability arises from insufficient file system restrictions, allowing unauthenticated, remote attackers to access sensitive information stored on affected systems. Specifically, if an attacker gains netadmin privileges, they could exploit this flaw to access the Virtual Shell (vshell) interface, enabling them to retrieve confidential data from the underlying operating system. This could severely compromise organizational security, as sensitive information may include network configurations, user credentials, and other critical data necessary for maintaining confidentiality and integrity within enterprise networks.
Potential impact of CVE-2026-20133
-
Data Breach Risk: The vulnerability allows unauthorized access to sensitive information on the system. Attackers can exploit this to exfiltrate confidential data, potentially leading to significant privacy violations and regulatory non-compliance for organizations.
-
Compromise of Network Infrastructure: With access to system-level information, attackers can manipulate or disrupt network operations, leading to potential downtime, loss of service, and impaired business continuity, which can have cascading effects on overall operations.
-
Increased Attack Surface for Further Exploitation: By successfully exploiting this vulnerability, attackers could gain a foothold in the organization, maturing into more sophisticated attacks, including lateral movement within the network, escalating privileges, or deploying additional malicious payloads.
CISA has reported CVE-2026-20133
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-20133 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
Affected Version(s)
Cisco Catalyst SD-WAN Manager 17.2.6
Cisco Catalyst SD-WAN Manager 17.2.7
Cisco Catalyst SD-WAN Manager 17.2.8
News Articles
Help Net SecurityWeek in review: Claude Mythos finds 271 Firefox flaws, Vercel breach - Help Net Security
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: SmokedMeat: Open-source tool shows what attackers do
5 days ago
CISA flags new SD-WAN flaw as actively exploited in attacks
​CISA has given U.S. government agencies four days to secure their systems against another Catalyst SD-WAN Manager vulnerability it flagged as actively exploited in attacks.
1 week ago
References
CVSS V3.1
Timeline
- đź’°
Used in Ransomware
- đź“°
First article discovered by BleepingComputer
- 🦅
CISA Reported
- đź‘ľ
Exploit known to exist
Vulnerability published
Vulnerability Reserved