Cisco Catalyst SD-WAN Manager
Cisco's SD-WAN management platform; three CVEs received a 3-day CISA emergency patch deadline in April 2026.
Last refreshed: 30 April 2026 · Appears in 1 active topic
Why did CISA give federal agencies only three days to patch Cisco SD-WAN Manager?
Timeline for Cisco Catalyst SD-WAN Manager
Mentioned in: CISA deadline for PAN-OS RCE lands four days early
Cybersecurity: Threats and DefencesCISA gives Cisco SD-WAN three days to patch
Cybersecurity: Threats and Defences- Why did CISA give only three days to patch Cisco Catalyst SD-WAN Manager?
- CISA's three-day remediation deadline (20-23 April 2026) for three Cisco Catalyst SD-WAN Manager CVEs indicates the agency believes active exploitation is underway. The KEV programme uses shorter deadlines for vulnerabilities with confirmed in-the-wild exploitation, with three days representing an emergency tempo reserved for the most urgent cases.Source: CISA KEV catalogue
- What are the Cisco SD-WAN Manager vulnerabilities CISA added to the KEV in April 2026?
- Three CVEs were added simultaneously on 20 April 2026: CVE-2026-20122 (API privilege escalation), CVE-2026-20133 (sensitive information exposure), and CVE-2026-20128 (insecure password storage). All three affect Cisco Catalyst SD-WAN Manager and had a federal remediation deadline of 23 April 2026.Source: CISA KEV catalogue
- How is the Cisco SD-WAN Manager vulnerability different from the FIRESTARTER Cisco ASA attack?
- The SD-WAN Manager CVEs and FIRESTARTER affect different Cisco product lines with different adversary profiles. FIRESTARTER is a nation-state boot-sequence implant on ASA/Firepower perimeter firewalls; the SD-WAN Manager CVEs represent opportunistic exploitation of a network management platform used for branch connectivity. Both require urgent remediation but through different methods.Source: CISA KEV catalogue / CISA AR26-113A
Background
Cisco Catalyst SD-WAN Manager is the centralised management plane for Cisco's software-defined wide-area network (SD-WAN) product family, used by enterprises and governments to configure and monitor distributed branch connectivity. On 20 April 2026, CISA added three separate Catalyst SD-WAN Manager vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue simultaneously — CVE-2026-20122 (API privilege escalation), CVE-2026-20133 (sensitive information exposure), and CVE-2026-20128 (insecure password storage) — with a remediation deadline of 23 April 2026, an emergency three-day window that signals CISA believes active exploitation is underway.
The three-day deadline is among the shortest CISA has issued and the simultaneous addition of three CVEs for the same platform is operationally unusual. US federal agencies under CISA's Binding Operational Directive are legally required to remediate KEV entries within the specified window. The SD-WAN Manager vulnerabilities represent a separate attack surface from the FIRESTARTER/ASA campaign: SD-WAN Manager handles network orchestration and configuration, meaning a compromise could allow an attacker to reconfigure branch routing, intercept traffic, or pivot across the WAN fabric.
The simultaneous targeting of two distinct Cisco product lines — ASA/Firepower (FIRESTARTER, nation-state) and Catalyst SD-WAN Manager (KEV, active exploitation) — compounds the patching burden for any enterprise running Cisco for both perimeter security and wide-area networking, requiring parallel remediation sprints with different threat profiles and timelines.
Cisco Catalyst SD-WAN Manager is the software-defined wide-area networking (SD-WAN) management and orchestration platform within Cisco's Catalyst product family. It provides centralised policy management, network visibility, and configuration for distributed enterprise networks. The platform is deployed at scale across enterprise and government customers relying on Cisco's SD-WAN fabric for multi-site connectivity.