Overview
On 20 April 2026, CISA added three Cisco Catalyst SD-WAN Manager vulnerabilities to its Known Exploited Vulnerabilities catalog in a single batch, citing evidence of active exploitation. The 72-hour remediation deadline imposed on federal agencies — the tightest window CISA issues — signals that these are being chained or exploited individually against critical infrastructure targets.
SD-WAN Manager (formerly vManage) is the centralised orchestration and policy plane for Cisco's Catalyst SD-WAN fabric. Compromise of the management controller gives an attacker administrative visibility and control over every edge router, policy, and VPN tunnel in the fabric — making it a high-value target for espionage and network disruption actors.
Vulnerability Breakdown
| CVE | CWE | CVSS | Summary |
|---|---|---|---|
| CVE-2026-20122 | CWE-284 Improper Access Control | 8.8 High | Certain API endpoints bypass token validation, permitting authenticated-but-unprivileged users to invoke administrative functions |
| CVE-2026-20128 | CWE-257 Passwords in Recoverable Format | 7.5 High | Integration credentials stored using a reversible encryption scheme; any user with database access can recover plaintext secrets |
| CVE-2026-20133 | CWE-200 Exposure of Sensitive Information | 6.5 Medium | An unauthenticated API endpoint returns internal system metadata, including version strings and interface addressing, enabling targeted exploitation |
CVE-2026-20122 — Improper API Access Control
SD-WAN Manager exposes a REST API used by the web UI and external integrations. Several administrative endpoints in the /dataservice/ path perform RBAC checks based on the user's role claim in the session token — but a subset of endpoints validate the token's signature without verifying the role field against the required permission level. An attacker with any valid low-privilege account (or a compromised operator credential) can call these endpoints directly and perform actions including template deployment, device certificate management, and user provisioning.
The flaw is a classic horizontal privilege escalation pattern: authentication is checked, authorisation is not. In a network management platform, the delta between "authenticated" and "authorised as admin" is effectively the entire attack surface.
# Example: calling an admin-only endpoint with a low-privilege token
curl -H "Authorization: Bearer <low_priv_token>" \
https://sdwan-manager.internal/dataservice/template/device/config/attached \
-X POST -H "Content-Type: application/json" \
-d '{"templateId":"<uuid>","deviceIds":["<device_id>"]}'
# Returns 200 — executes template push to target deviceCVE-2026-20128 — Passwords in Recoverable Format
SD-WAN Manager supports integration with external systems — AAA servers, SNMP managers, cloud providers, and third-party analytics platforms. The credentials for these integrations are stored in the platform's internal database using AES encryption with a static key embedded in the application binaries. Any user who gains read access to the database (via CVE-2026-20122 or a separate database exposure) can extract and decrypt these integration credentials.
In practice, integration accounts frequently hold privileged access to the systems they connect to — RADIUS shared secrets, SNMPv3 authentication keys, and cloud API tokens are common. Recovering these provides lateral movement paths into the broader environment, well beyond the SD-WAN fabric itself.
# Conceptual recovery of stored integration credential
# After obtaining DB access via CVE-2026-20122:
GET /dataservice/settings/configuration/integrations
# Returns encrypted credential blobs; static AES key in /usr/share/nms/conf/decrypt.key
# openssl aes-256-cbc -d -K <static_key> -iv <extracted_iv> -in blob.binCVE-2026-20133 — Unauthenticated Information Disclosure
A diagnostic endpoint at /dataservice/client/server/info returns system metadata without requiring authentication. The response includes SD-WAN Manager version, build identifier, cluster member addresses, and network interface information. While not directly exploitable, this information is used in reconnaissance to confirm version and select the appropriate exploit chain from CVE-2026-20122 or CVE-2026-20128 — a reliable pre-exploitation fingerprinting step.
curl -sk https://sdwan-manager.internal/dataservice/client/server/info | python3 -m json.tool
# {
# "server": "sd-wan-manager",
# "buildVersion": "20.15.1.2",
# "clusterNodes": ["192.168.x.x", "192.168.x.y"],
# ...
# }Chained Attack Scenario
The three CVEs compose naturally into a low-friction attack path requiring only one valid (low-privilege) credential — obtainable through credential spraying, phishing, or purchasing from an access broker:
- CVE-2026-20133: Unauthenticated fingerprint confirms version and cluster topology — ensures correct exploit variant is used.
- CVE-2026-20122: Low-privilege account escalates to administrative API access — full control over device templates, routing policy, and user management.
- CVE-2026-20128: Administrative database access recovers plaintext integration credentials — RADIUS secrets, SNMP keys, cloud tokens — enabling lateral movement into adjacent systems.
The end state is complete administrative control of the SD-WAN fabric and a collection of integration credentials for further exploitation — achieved with a single low-privilege account as the initial foothold.
Affected Versions
- Cisco Catalyst SD-WAN Manager (vManage): versions 20.9 through 20.15.1 prior to the April 2026 patch
- Cisco IOS XE SD-WAN images are not directly affected — the vulnerabilities are in the Manager controller component only
Remediation
- Apply Cisco's April 2026 security advisory patches immediately. Federal agencies had a mandated 72-hour window — all organisations should treat this with equivalent urgency given confirmed exploitation.
- Restrict SD-WAN Manager access to management VLANs or VPN-protected networks. Internet-facing deployment of the management plane is strongly contraindicated and significantly expands the exposed attack surface.
- Rotate all integration credentials stored in SD-WAN Manager — RADIUS shared secrets, SNMP authentication, and any cloud tokens — as a precautionary measure regardless of whether exploitation is confirmed.
- Review access logs for anomalous calls to
/dataservice/endpoints from low-privilege accounts, particularly template deployment and user management operations. - Enable multi-factor authentication for all SD-WAN Manager operator accounts to raise the cost of credential-based initial access.
Detection Guidance
- Unauthenticated requests to
/dataservice/client/server/infofrom external IPs — likely reconnaissance using CVE-2026-20133. - Administrative API calls (template deployment, user management, certificate operations) from accounts with operator or read-only roles.
- Repeated database query patterns against the credentials store — indicative of CVE-2026-20128 extraction attempts.
- New admin accounts created via API, or existing account role modifications not corresponding to a change-management ticket.
Takeaways
Network management planes are perennially under-secured relative to the blast radius they represent. SD-WAN Manager compromise doesn't just give an attacker access to one device — it gives them the keys to the routing policy of an entire enterprise WAN. The combination of an information disclosure primitive for reconnaissance, a privilege escalation for access, and a credential recovery flaw for lateral movement is a clean, practical kill chain that requires minimal sophistication once a foothold credential exists.
For pentesters, SD-WAN Manager instances are high-priority targets on any enterprise engagement — once you have a low-privilege credential, these CVEs transform it into full fabric control and a credential harvest for the rest of the environment.