500+
Cisco Catalyst SD-WAN Manager instances reachable from the public internet with no authentication required
3
CVEs chained in the documented attack sequence from unauthenticated access to deployed webshell
CVSS 7.5
Severity of CVE-2026-20133, exploitable remotely without authentication, no user interaction required
Apr 23
CISA FCEB patch deadline, federal agencies required to remediate by today, April 23 2026

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Three CVEs in Cisco Catalyst SD-WAN Manager are being actively chained by a sophisticated threat actor to steal network credentials, exfiltrate private keys, and plant persistent webshells on enterprise SD-WAN infrastructure, all without requiring authentication on the initial attack step. The Cisco SD-WAN Manager CVE-2026-20133 vulnerability, a path traversal flaw rated CVSS 7.5, is the entry point: an unauthenticated attacker sends crafted HTTP GET requests to traverse the file system and read sensitive files including configuration data, credential stores, and private keys. With those stolen credentials, the chain escalates through CVE-2026-20128 (CVSS 7.5, passwords stored in recoverable format) and CVE-2026-20122 (CVSS 5.4, malicious file upload), culminating in a deployed webshell that persists through normal operations.

CISA added all three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog between April 20 and April 22, 2026. The federal remediation deadline for the Cisco SD-WAN Manager vulnerability cluster was today, April 23, 2026, for Federal Civilian Executive Branch agencies under CISA Emergency Directive 26-03. For the broader enterprise market, a CISA KEV deadline is an unambiguous signal: exploitation is confirmed in the wild, the attack chain is documented and reproducible, and unpatched systems are active targets right now.

The confirmed threat actor, UAT-8616, has been tracked by Cisco Talos since 2023 and is described as 'a highly sophisticated cyber threat actor.' The Australian Signals Directorate and Five Eyes intelligence partners issued joint threat hunting guidance in response to the campaign. Internet scanning services identify between 450 and 550 Cisco Catalyst SD-WAN Manager instances currently reachable from the public internet, each representing a potential entry point into every enterprise branch site it manages. The blast radius is not a single server: it is the entire managed network. For any organisation running Cisco Catalyst SD-WAN Manager with a public-facing management interface, this advisory requires immediate action today.

How the 3-CVE Cisco SD-WAN Attack Chain Achieves Credential Theft

The attack sequence targeting Cisco Catalyst SD-WAN Manager follows a documented three-stage chain that progresses from unauthenticated information disclosure to persistent access with elevated network privileges. Security researchers at VulnCheck and the zerozenxlabs team published proof-of-concept exploit code demonstrating the chain functions reliably against unpatched systems.

Cisco Talos confirmed active exploitation of CVE-2026-20122 and CVE-2026-20128 beginning February 25, 2026. A functional exploit for the related critical authentication bypass CVE-2026-20127 (CVSS 10.0) was published on March 11, 2026, further expanding the public exploit ecosystem around this vulnerability cluster. The three stages below represent the documented attack path for which CISA has confirmed exploitation evidence and issued a federal emergency directive.

1

CVE-2026-20133, Unauthenticated Path Traversal

Attacker sends crafted HTTP GET requests to the vManage API with path traversal sequences (e.g. /api/v1/../../../../etc/passwd). No credentials required. Returns system credentials, private keys, config files, and logs containing authentication material.

2

CVE-2026-20128, Credential Recovery and Privilege Escalation

Using stolen credentials from stage one, attacker exploits recoverable password storage format to escalate from standard account to DCA (data centre appliance) user level, gaining elevated access across the SD-WAN fabric.

3

CVE-2026-20122, Malicious File Upload for Persistent Webshell

Exploiting improper file handling in the API, attacker uploads a malicious file to the SD-WAN Manager filesystem, granting vmanage user privileges and deploying a persistent webshell that survives routine operations and reboots.

What Attackers Can Read Without Authentication: Credentials, Keys, and Network Maps

The impact of CVE-2026-20133 extends far beyond reading a single file. The path traversal flaw allows unauthenticated traversal of any portion of the file system accessible from the API process security context. In documented exploitation, attackers systematically exfiltrate multiple categories of highly sensitive material.

System configuration files describe the complete network topology, routing policies, and device relationships across the entire managed SD-WAN fabric. For enterprises using Cisco Catalyst SD-WAN to manage branch connectivity, this exposes complete network architecture to an unauthenticated attacker before a single login attempt is made.

Credential stores and authentication material, including passwords stored in recoverable format that CVE-2026-20128 subsequently exploits, are readable via path traversal. Private keys used for device authentication and encrypted SD-WAN tunnel communications are also reachable. Application and system logs frequently contain authentication tokens, session identifiers, and API keys from automated provisioning workflows, representing an additional layer of credential material.

For nation-state actors like UAT-8616, this reconnaissance intelligence, network topology, credential inventory, private keys, is the primary objective. It enables persistent, stealthy access across every managed site simultaneously without triggering alerts associated with brute force or phishing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

UAT-8616: The Sophisticated Threat Actor Targeting Cisco SD-WAN Infrastructure

The confirmed threat actor in active Cisco SD-WAN Manager exploitation is UAT-8616, a group Cisco Talos describes as 'a highly sophisticated cyber threat actor' whose documented activity against SD-WAN infrastructure dates to 2023. Cisco's February 25, 2026 advisory named the group explicitly, unusual for vendor advisories that typically avoid attribution. The Australian Signals Directorate, coordinating as part of a Five Eyes joint advisory, issued threat hunting guidance specifically addressing UAT-8616 TTPs against Cisco SD-WAN Manager targets.

UAT-8616's operational pattern is characteristic of an advanced persistent threat actor with strategic intelligence objectives rather than ransomware monetisation. The group's multi-year focus on SD-WAN management infrastructure, rather than endpoints or perimeter systems, indicates deliberate targeting of the network control plane governing enterprise connectivity. Compromising the SD-WAN Manager provides simultaneous persistent access across all managed branch sites without requiring separate exploitation of each location. This is the hallmark of a nation-state-level actor seeking durable network presence.

In the confirmed victim environment documented by Huntress, SD-WAN Manager compromise was accompanied by 'suspicious FortiGate SSL VPN access tied to the compromised environment, including a source IP geolocated to Russia', indicating the SD-WAN intrusion was part of a broader multi-vector network access campaign. This combination of CVE-2026-20133 credential theft followed by VPN abuse is consistent with UAT-8616's documented interest in establishing redundant network persistence. Defenders who patch SD-WAN Manager should simultaneously audit VPN access logs for anomalous login activity from the same credential sets.

A vulnerability in Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to access sensitive information on an affected system. This vulnerability is due to insufficient file system access restrictions. CISA has confirmed evidence of active exploitation.

CISA Known Exploited Vulnerabilities Catalog, CVE-2026-20133 entry, April 22, 2026

500+ Internet-Exposed SD-WAN Manager Instances: Mapping the Real Attack Surface

CVE-2026-20133 requires nothing beyond a network path to the Cisco Catalyst SD-WAN Manager web interface, no credentials, no user interaction, no local access. This makes the internet-facing exposure of SD-WAN Manager instances directly meaningful as an attack surface metric, and the numbers paint a sobering picture.

Internet scanning services report 450–550 Cisco Catalyst SD-WAN Manager instances accessible from the public internet via Shodan and Censys. FOFA, which scans more extensively across Asian network regions, returns over 1,000 matches for the same service fingerprint. SD-WAN Manager deployments are concentrated in industries relying on branch connectivity: financial services, healthcare, retail, manufacturing, and government, all high-value targets for both nation-state and ransomware threat actors.

Critically, each internet-exposed SD-WAN Manager instance represents not just a single server compromise risk, it represents administrative control over every managed site in the SD-WAN fabric. A single SD-WAN Manager may govern connectivity for dozens or hundreds of branch locations. The blast radius of CVE-2026-20133 exploitation is the entire managed network, not a single host.

This same attack surface pattern drove our coverage of the FortiClient EMS CVE-2026-35616 zero-day and the April 2026 Patch Tuesday advisory, network security appliances with internet-facing management interfaces consistently represent the highest-value, highest-blast-radius entry points in enterprise environments. Organisations that have not restricted SD-WAN Manager access to trusted management networks are operating with full network architecture credentials sitting on the public internet.

Detecting CVE-2026-20133 Exploitation: Log Patterns and Hunt Queries

CVE-2026-20133 exploitation leaves identifiable patterns in Cisco SD-WAN Manager API access logs. The core technique, path traversal via crafted HTTP GET requests, generates anomalous log entries that differ from legitimate API usage in several measurable ways. Security operations teams should implement the following detection queries against vManage access logs as a priority.

The primary hunting indicator is HTTP GET requests to API endpoints containing traversal sequences. Legitimate vManage API calls operate within a defined path namespace and never traverse upward in the file system. Any request containing '../', '..%2F', or URL-encoded equivalents ('%2E%2E%2F') against an API endpoint should be treated as a confirmed exploitation attempt and escalated immediately. Monitor for successful 200 OK responses to such requests, a 403 or 404 indicates the traversal failed, but a 200 confirms successful unauthorised file system access.

Secondary indicators include: new authenticated sessions appearing within minutes of anomalous GET requests, indicating successful credential theft and immediate use in stage two; unexpected file creation events in the SD-WAN Manager filesystem, indicating webshell deployment via CVE-2026-20122; and anomalous outbound connections from the SD-WAN Manager host to external IPs following the exploitation pattern.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Remediation: Patch Versions, API Lockdown, and Credential Rotation

Remediation requires both immediate patching and network-level hardening to eliminate the internet-facing exposure that makes CVE-2026-20133 exploitable without credentials. Patching alone does not address the misconfiguration that placed SD-WAN Manager interfaces on the public internet in the first place. Both actions are required to close the attack surface.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

Three CVEs in Cisco Catalyst SD-WAN Manager form a documented, weaponized attack chain that any unauthenticated attacker can initiate against the 500+ management interfaces currently reachable from the public internet. Cisco SD-WAN Manager CVE-2026-20133 is the entry point: it requires no credentials and exposes credentials, private keys, and full network topology before the attacker logs in once. UAT-8616 has been operationalising this access since 2023, and CISA set today as the federal remediation deadline. If your SD-WAN Manager is internet-reachable, patch immediately to a fixed version, restrict management access to trusted IP ranges, and rotate all credentials accessible from the vManage filesystem.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2026-20133 in Cisco SD-WAN Manager?

CVE-2026-20133 is a CVSS 7.5 information disclosure vulnerability in Cisco Catalyst SD-WAN Manager stemming from insufficient file system access restrictions in its API. Unauthenticated remote attackers can send crafted HTTP GET requests with path traversal sequences to read sensitive files including system credentials, private keys, and network configuration data, all without supplying any login credentials. CISA added it to its Known Exploited Vulnerabilities catalog on April 22, 2026.

How does the Cisco SD-WAN Manager 3-CVE attack chain work?

The attack proceeds in three stages. Stage one: CVE-2026-20133 is used unauthenticated to traverse the file system and extract stored credentials and private keys. Stage two: stolen credentials enable CVE-2026-20128 exploitation, recovering passwords stored in recoverable format to escalate to DCA user level. Stage three: CVE-2026-20122 allows a malicious file upload granting vmanage privileges and deploying a persistent webshell. VulnCheck published proof-of-concept code confirming this chain is reliably reproducible.

Which Cisco SD-WAN Manager versions are vulnerable?

Versions up to and including 20.18 of Cisco Catalyst SD-WAN Manager are affected by CVE-2026-20133. Fixed versions are 20.9.8.2, 20.12.5.3, 20.15.4.2, and 20.18.2.1. Cisco recommends upgrading to the nearest fixed release for your current version branch. Organisations still running end-of-life branches below 20.9 should treat this upgrade as a critical security action given active exploitation.

Is my Cisco SD-WAN Manager exposed to the internet?

Internet scanning services including Shodan and Censys identify 450–550 Cisco Catalyst SD-WAN Manager instances reachable from the public internet. FOFA returns over 1,000 matches globally. SD-WAN Manager should never be accessible from untrusted networks, CISA recommends restricting access to known management IP ranges via firewall ACLs. Check your exposure by querying your ASN on Shodan for the vManage service fingerprint on TCP 8443 or 443.

What credentials and files can attackers steal using CVE-2026-20133?

Successful exploitation allows reading any file accessible from the SD-WAN Manager API process context. In practice this includes: system /etc/passwd and shadow files, vManage stored passwords, private keys used for device mutual authentication and encrypted tunnels, network topology configuration files revealing full branch architecture, and application logs containing session tokens and API keys from automated provisioning workflows. No login is required to access any of this material.

Who is UAT-8616 and are they behind this exploitation?

UAT-8616 is a sophisticated threat actor tracked by Cisco Talos whose documented activity against Cisco SD-WAN infrastructure dates to 2023. The group was named in Cisco's February 25, 2026 advisory confirming active exploitation. The Australian Signals Directorate and Five Eyes partners issued joint threat hunting guidance specifically addressing UAT-8616 TTPs. Post-exploitation activity in confirmed victim environments included FortiGate SSL VPN abuse from source IPs geolocated to Russia.

How do I detect CVE-2026-20133 exploitation in SD-WAN Manager logs?

Hunt for HTTP GET requests to vManage API endpoints containing path traversal sequences such as '../', '..%2F', or '%2E%2E%2F'. Monitor for 200 OK responses to such requests, legitimate API calls never traverse above the API root. Check for access to paths such as /api/v1/../../../../etc/ or /api/v1/../../../opt/viptela/. Correlate with unexpected authenticated sessions appearing minutes later, indicating successful credential theft in stage two of the chain.

What is the CISA deadline for patching CVE-2026-20133?

CISA added CVE-2026-20133 to its KEV catalog on April 22, 2026 with a federal remediation deadline of May 7, 2026. The broader cluster of three Cisco SD-WAN CVEs (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) was added to KEV on April 20 with a deadline of April 23, 2026, today. Private-sector organisations are not legally bound by CISA deadlines but should treat them as the outer boundary of acceptable patch lag given confirmed in-the-wild exploitation.

Sources & references

  1. CISA, Known Exploited Vulnerabilities Catalog (April 20–22, 2026 additions)
  2. BleepingComputer, CISA flags new SD-WAN flaw as actively exploited in attacks
  3. Help Net Security, CISA flags another Cisco Catalyst SD-WAN Manager bug as exploited (CVE-2026-20133)
  4. VulnCheck Blog, Herding Cats: Recent Cisco SD-WAN Manager Vulnerabilities
  5. CybersecurityNews, CISA Warns of Cisco Catalyst SD-WAN Manager Vulnerabilities Exploited in Attacks
  6. DailyCVE, CVE-2026-20133 Cisco Catalyst SD-WAN Manager Information Disclosure
  7. Cisco Security Advisory, Cisco Catalyst SD-WAN Vulnerabilities

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.