
Cisco Catalyst SD-WAN Manager
Cisco's SD-WAN platform; four CVEs KEV-listed since April 2026, most of any vendor this quarter.
Last refreshed: 4 July 2026 · Appears in 1 active topic
Why did CISA give federal agencies only three days to patch Cisco SD-WAN Manager?
Timeline for Cisco Catalyst SD-WAN Manager
Carried the path-traversal flaw
Cybersecurity: Threats and Defences: Cisco tops a five-vendor KEV batchMentioned in: CISA deadline for PAN-OS RCE lands four days early
Cybersecurity: Threats and DefencesCISA gives Cisco SD-WAN three days to patch
Cybersecurity: Threats and DefencesWhy did CISA give only three days to patch Cisco Catalyst SD-WAN Manager?
What are the Cisco SD-WAN Manager vulnerabilities CISA added to the KEV in April 2026?
How is the Cisco SD-WAN Manager vulnerability different from the FIRESTARTER Cisco ASA attack?
Background
Cisco Catalyst SD-WAN Manager is the centralised management plane for Cisco's software-defined wide-area network (SD-WAN) product family, used by enterprises and governments to configure and monitor distributed branch connectivity. On 20 April 2026, CISA added three separate Catalyst SD-WAN Manager vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue simultaneously: CVE-2026-20122 (API privilege escalation), CVE-2026-20133 (sensitive information exposure), and CVE-2026-20128 (insecure password storage), with a remediation Deadline of 23 April 2026, an emergency three-day window that signals CISA believes active exploitation is underway.
The three-day Deadline is among the shortest CISA has issued and the simultaneous addition of three CVEs for the same platform is operationally unusual. US federal agencies under CISA's Binding Operational Directive are legally required to remediate KEV entries within the specified window. The SD-WAN Manager vulnerabilities represent a separate attack surface from the FIRESTARTER/ASA campaign: SD-WAN Manager handles network orchestration and configuration, meaning a compromise could allow an attacker to reconfigure branch routing, intercept traffic, or pivot across the WAN fabric.
The simultaneous targeting of two distinct Cisco product lines, ASA/Firepower (FIRESTARTER, nation-state) and Catalyst SD-WAN Manager (KEV, active exploitation), compounds the patching burden for any enterprise running Cisco for both perimeter security and wide-area networking, requiring parallel remediation sprints with different threat profiles and timelines.
A fourth Catalyst SD-WAN Manager vulnerability followed within the same quarter: CISA added CVE-2026-20262, a PATH-traversal flaw, to the KEV catalogue on 29 June 2026 in a batch alongside four unrelated products. Combined with the April batch of three, Cisco's SD-WAN management platform has had four separate vulnerabilities added to KEV within roughly ten weeks, making Cisco the most repeat-listed vendor on Lowdown's cyber beat this quarter.
Cisco Catalyst SD-WAN Manager is the software-defined wide-area networking (SD-WAN) management and orchestration platform within Cisco's Catalyst product family. It provides centralised policy management, network visibility, and configuration for distributed enterprise networks. The platform is deployed at scale across enterprise and government customers relying on Cisco's SD-WAN fabric for multi-site connectivity.