CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs May 22, 2026

CISA Warns of Actively Exploited Cisco SD-WAN Flaw - Orders Urgent Federal Patching - LinkedIn

LinkedIn Archived May 22, 2026 ✓ Full text saved

CISA Warns of Actively Exploited Cisco SD-WAN Flaw - Orders Urgent Federal Patching LinkedIn

Full text archived locally
✦ AI Summary · Claude Sonnet


    The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive to U.S. federal agencies to patch a newly flagged vulnerability affecting Cisco’s widely used SD-WAN management platform, warning that the flaw is already being actively exploited by threat actors. The vulnerability—tracked as CVE-2026-20133—impacts Cisco’s Catalyst SD-WAN Manager, a centralized system used by enterprises and government networks to control and monitor thousands of distributed networking devices. The platform, formerly known as vManage, can oversee as many as 6,000 devices from a single interface, making it a critical component in large-scale infrastructure environments. Active Exploitation Triggers Emergency Deadline CISA added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog this week, citing confirmed evidence of real-world attacks. As a result, agencies within the Federal Civilian Executive Branch (FCEB) have been given just 4 days to apply patches or mitigations, with a compliance deadline set for April 24. In total CISA added 8 new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including the Cisco Catalyst SD-WAN Manager vulnerability The directive underscores the severity of the issue. Inclusion in the KEV catalog is typically reserved for vulnerabilities that pose immediate risk due to ongoing exploitation, often by sophisticated threat actors. CISA instructed agencies to follow mitigation strategies outlined in Emergency Directive 26-03, as well as its broader hardening guidance for SD-WAN environments. In cases where remediation is not feasible, agencies were advised to discontinue use of affected systems altogether. Technical Details of the Vulnerability According to Cisco, the vulnerability stems from insufficient file system access controls within the SD-WAN Manager software. This weakness allows unauthenticated remote attackers to interact with exposed APIs and retrieve sensitive information from underlying systems—without needing valid login credentials. Cisco previously explained that successful exploitation could enable attackers to: Access confidential system data Extract operational or configuration details Potentially map internal network structures While the flaw is categorized as an information disclosure issue rather than direct remote code execution, such vulnerabilities are often used as stepping stones in larger attack chains. Conflicting Signals on Exploitation Notably, Cisco has not yet publicly confirmed active exploitation of CVE-2026-20133. Its Product Security Incident Response Team (PSIRT) advisory continues to state that there are no known public reports of malicious use. This discrepancy between CISA’s assessment and Cisco’s official position highlights a recurring challenge in vulnerability disclosure—where government intelligence may identify exploitation activity before vendors can independently verify or publicly confirm it. Broader Pattern of Cisco Vulnerabilities Under Attack The newly flagged flaw is not an isolated case. In recent months, Cisco has addressed multiple critical vulnerabilities affecting its networking and security products. In late February, alongside CVE-2026-20133, Cisco patched two additional flaws—CVE-2026-20128 and CVE-2026-20122—which were later confirmed to be under active exploitation. Even more concerning was CVE-2026-20127, a critical authentication bypass vulnerability disclosed earlier this year. That flaw was exploited in zero-day attacks dating back to at least 2023, allowing attackers to insert rogue devices into targeted networks—effectively granting persistent, stealthy access. Recommended by LinkedIn 🚨 ArcaneDoor Campaign – Cisco Zero-Day Exploitation… Jawagal Srinath 7 months ago Cyber Intel Brief: ToolShell exploits, SCADA… Authentic8 9 months ago Shadow Intrusion: The CVE-2024-3094 Threat Black Rock Engineering and Technology 2 years ago In March, Cisco also released patches for two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC). These flaws could allow attackers to gain root-level access and execute arbitrary code, representing a full system compromise scenario. Rising Risk to Critical Infrastructure SD-WAN systems are particularly attractive targets because they sit at the core of enterprise networking. If attackers gain visibility into SD-WAN controllers, they can effectively map and manipulate entire networks, even information disclosure vulnerabilities can be extremely dangerous in these environments. CISA’s data reinforces the trend. Over the past several years, the agency has identified more than 90 Cisco vulnerabilities as actively exploited in the wild. At least six of these have been linked to ransomware campaigns, highlighting their role in financially motivated cybercrime. Urgent Call for Organizations Beyond Government While CISA’s directive applies specifically to federal agencies, private sector organizations using Cisco SD-WAN solutions face similar risks. All organizations should: Immediately apply the latest security patches Restrict access to management interfaces Monitor logs for suspicious API activity Conduct threat hunting for signs of compromise Failure to act quickly could leave networks exposed to ongoing exploitation campaigns that may expand beyond government targets. Five additional security vulnerabilities The latest additions to CISA’s Known Exploited Vulnerabilities catalog include the following issues: CVE-2023-27351 – A vulnerability in PaperCut NG/MF that has been actively exploited since early 2023 by the Lace Tempest group, an affiliate of the Clop ransomware operation. CVE-2024-27199 – A flaw in JetBrains TeamCity that attackers have been leveraging since early 2024. CVE-2025-2749 – A vulnerability affecting Kentico Xperience, with no confirmed reports of active exploitation so far. CVE-2025-32975 – A security issue impacting Quest KACE Systems Management Appliance. In March 2026, Arctic Wolf reported suspicious activity in customer environments that may be linked to its exploitation. CVE-2025-48700 – A zero-click cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite developed by Synacor. According to the State Special Communications Service of Ukraine, it has been exploited since late September 2025. Ongoing Investigation As of now, details about the attackers exploiting CVE-2026-20133 remain limited. Neither CISA nor Cisco has publicly attributed the activity to a specific threat group. Given the strategic importance of SD-WAN infrastructure, both nation-state actors and cybercriminal groups are likely candidates. The situation remains fluid, with further disclosures expected as investigations continue.
    💬 Team Notes
    Article Info
    Source
    LinkedIn
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    May 22, 2026
    Archived
    May 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗