The U.S. Cybersecurity and Infrastructure Security Agency has given government agencies four days to secure their systems against another Catalyst SD-WAN Manager vulnerability that it has flagged as actively exploited in attacks, setting a deadline of Friday, April 24, for affected federal civilian networks.
Catalyst SD-WAN Manager, formerly known as vManage, is a network management platform that allows administrators to monitor and manage as many as 6,000 Catalyst SD-WAN devices from a single dashboard. Cisco patched the information disclosure flaw, tracked as CVE-2026-20133, in late February, saying it could allow unauthenticated remote attackers to access sensitive information on unpatched devices.
Federal Agencies Told to Act Quickly
CISA added CVE-2026-20133 to its Known Exploited Vulnerabilities catalog on Monday, citing evidence of active exploitation, and directed Federal Civilian Executive Branch agencies to secure their networks by Friday, April 24. The agency also urged organisations to assess their exposure and follow its emergency directive and hardening guidance for Cisco SD-WAN devices.
CISA said agencies should also follow applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. The order underscores the urgency attached to the flaw and the concern surrounding its use in ongoing attacks.
Cisco Position and Earlier Security Warnings
Cisco has not confirmed the U.S. cybersecurity agency’s assessment that the flaw is being exploited in attacks. Its security advisory continues to state that the company’s Product Security Incident Response Team is not aware of any public announcements or malicious use of the vulnerabilities described in CVE-2026-20133.
In February, Cisco also identified a critical authentication bypass vulnerability, CVE-2026-20127, as having been exploited in zero-day attacks that enabled threat actors to add malicious rogue peers to targeted networks since at least 2023. The company has, in recent months, faced several serious security issues affecting its SD-WAN and firewall management products.
Recent Patches Add to Security Pressure
In early March, Cisco released updates to fix two maximum-severity vulnerabilities in its Secure Firewall Management Center software that could allow attackers to gain root access to the underlying operating system and execute arbitrary Java code with root privileges.
One of those vulnerabilities was attributed to insufficient file system access restrictions. Cisco said a successful exploit could allow an attacker to read sensitive information on the underlying operating system. A week later, the company disclosed that two other security flaws it had patched the same day, CVE-2026-20128 and CVE-2026-20122, were being exploited in the wild.
The latest federal directive adds to the pressure on users of Cisco’s network management products, particularly as vulnerability tracking, patching and public attribution continue to move at different speeds.
