Cisco SD-WAN Again

CISCO SD-WAN, again, and the risk just widened

Attackers do not always need a brand-new way in. Sometimes they just need broader reach from a system that already sits close to the heart of the network.

That is why Cisco SD-WAN is back on the list. Three Cisco Catalyst SD-WAN Manager flaws were added to CISA’s Known Exploited Vulnerabilities catalogue on 20 April, widening the pressure around an area that was already under scrutiny earlier this year.

What changed: CISA added CVE-2026-20122, CVE-2026-20128 and CVE-2026-20133 to KEV. Cisco had already disclosed active exploitation of CVE-2026-20122 and CVE-2026-20128 in March, and current reporting says CVE-2026-20133 has now joined them in KEV as well. That shifts this from “important Cisco patching” into a broader operational risk issue.

The bigger issue is not just the CVEs themselves. It is where they sit. SD-WAN Manager helps run policy and trust across distributed environments, so a compromise here is not neatly contained to one device. One weak point in the management layer can have consequences far beyond a single appliance. Slightly rude of it, really.

Three things to check:

✔️Identify every SD-WAN Manager instance and check whether management access is exposed more widely than it should be.
✔️ Confirm fixed software levels on live systems, not just in maintenance plans or ticket notes.
✔️ Review recent admin activity, API use and unexpected file changes around the management layer.

Links for a deeper technical dive are in the comments.

Видео Cisco SD-WAN Again канала DIESEC