Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

CISA gives Cisco SD-WAN three days to patch

3 min read
08:46UTC

On 20 April, CISA added three Cisco Catalyst SD-WAN Manager CVEs to the KEV catalogue with a three-day federal remediation deadline of 23 April.

TechnologyDeveloping
Key takeaway

Three days for SD-WAN patches against the same vendor whose perimeter line is below the patch layer.

CISA added three Cisco Catalyst SD-WAN Manager vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalogue on Monday 20 April with a three-day federal remediation deadline, the shortest of the window 1. CVE-2026-20122 is an API privilege escalation; CVE-2026-20133 is sensitive information exposure; CVE-2026-20128 is a password storage flaw. All three sit in Cisco's software-defined wide-area network management plane, the orchestrator that pushes policy to branch-office routers across an enterprise estate.

KEV catalogue size has now reached 1,585 entries with 16 additions in the thirteen-day window, running at roughly 1.2 per day. The same emergency cadence applied to CitrixBleed 3 on 23 March and to the F5 BIG-IP APM reclassification on 14 April . The pace has not slowed despite the proposed FY27 CISA budget cut ; the operational tempo is being held against a workforce reduction.

The contrast with the FIRESTARTER cluster is what changes the CISO's procurement maths. The same vendor whose ASA and Firepower line hosts a nation-state-tier implant below the patch layer also has an SD-WAN trio caught by fast patching against opportunistic-tier actors. CISA's SD-WAN deadline shows the patching tier still functioning against opportunistic actors, while AA26-113A shows the eviction tier failing against the FIRESTARTER actor. For any organisation buying Cisco for both perimeter security and SD-WAN, the two stories converge on the same change-control queue: SD-WAN devices need to be patched on a stopwatch, and ASA devices need to be unplugged and audited from cold start. The single-vendor stack conversation gets harder in that week.

Deep Analysis

In plain English

Cisco's SD-WAN Manager is the control system that tells a company's branch-office routers what to do. Three security flaws in that control system were added to a US government emergency list, and federal agencies were given just three days to fix them. Three days is unusually short: it signals the government had evidence that hackers were already actively exploiting these flaws against real targets, not running exploratory probes.

Deep Analysis
Root Causes

Cisco Catalyst SD-WAN Manager is the centralised policy orchestrator for software-defined wide-area networks. Its API privilege escalation, information exposure, and password storage vulnerabilities sit at the intersection of two structural problems: the management plane is accessible from enterprise network segments that also carry user traffic, and the SD-WAN Manager's elevated privilege means a single compromised credential produces network-wide policy control.

The SD-WAN Manager also sits inside the same change-control queue as the perimeter firewalls whose patch cycle FIRESTARTER exploited. The shortest KEV deadline of the window signals that exploitation of these CVEs produces immediate enterprise-wide impact rather than limited device-specific impact.

What could happen next?
  • Consequence

    Any enterprise running Cisco Catalyst SD-WAN Manager needs emergency change control for three CVEs simultaneously, adding to the existing ASA/Firepower cold-start audit burden from the FIRESTARTER cluster.

  • Risk

    Organisations that process Cisco SD-WAN patches on the standard 30-day enterprise change-control cycle will remain exposed to confirmed active exploitation for weeks after the KEV deadline.

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

CISA· 30 Apr 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.