TP-EXP-2026-0012 CVE-2026-20133 high Patched AI Draft

Cisco Catalyst SD-WAN Manager — OS-Level Sensitive Information Disclosure (CVE-2026-20133)

CVE CVE-2026-20133 Platform Cisco Catalyst SD-WAN Manager prior to 20.18.2.1 Type Information Disclosure
Severity HIGH
Status Patched
Zero-Day No
Disclosed February 25, 2026
CISA KEV Listed

Severity Assessment

  • Exploitability: 5.5/10
  • Impact: 7.5/10
  • Weaponization Risk: 6.5/10
  • Patch Urgency: 8.5/10
  • Detection Coverage: 4.0/10

Summary

CVE-2026-20133 is an information disclosure vulnerability in Cisco Catalyst SD-WAN Manager affecting all releases prior to 20.18.2.1. The vulnerability stems from insufficient file system restrictions within the vshell interface. An attacker with netadmin-level credentials can access the vshell and read sensitive information from the underlying operating system that would not ordinarily be accessible through the standard SD-WAN management API.

The NVD primary score of 7.5 HIGH (AV:N/AC:L/PR:N/UI:N) and the Cisco PSIRT score of 6.5 MEDIUM (AV:N/AC:L/PR:L/UI:N) reflect differing characterizations of the privilege requirement. The English advisory description contains language referencing both an unauthenticated remote path and an authenticated netadmin-privilege path; the vendor CVSS vector treating the attack as low-privilege authenticated is the more cautious and operationally consistent characterization.

Cisco published the advisory on 2026-02-25 alongside other SD-WAN Manager vulnerabilities in the same advisory bundle (cisco-sa-sdwan-authbp-qwCX8D4v). CISA added CVE-2026-20133 to the Known Exploited Vulnerabilities catalog on 2026-04-20 with a required remediation deadline of 2026-04-23, and issued Supplemental Direction ED 26-03 directing Federal Civilian Executive Branch agencies to follow hunt and hardening guidance. Because exploitation was confirmed after the patch was available, this is classified as post-patch exploitation rather than a true zero-day.

Exploit Chain

Stage 1: Authenticate to SD-WAN Manager with Netadmin Privileges

The attacker authenticates to a Cisco Catalyst SD-WAN Manager instance running a version prior to 20.18.2.1 using netadmin-level credentials. These credentials may be obtained through credential theft from another compromised SD-WAN component, such as the DCA credential file exposed by CVE-2026-20128 (a companion vulnerability in the same advisory bundle), or through credential reuse from a separate compromise.

Stage 2: Access vshell Interface

The attacker invokes the vshell feature, which provides a restricted shell environment on the SD-WAN Manager appliance. Due to insufficient file system restrictions, the vshell does not limit file system access to the set of paths needed for legitimate management operations.

Stage 3: Read Sensitive OS-Level Information

The attacker traverses the underlying OS file system through the vshell session, reading files containing sensitive information. This may include configuration files, stored credentials, private keys, log files with authentication material, or other operational data from the underlying operating system. The information gathered can be used to support further lateral movement, credential stuffing against adjacent systems, or persistent reconnaissance of the SD-WAN fabric.

Detection Guidance

  1. Audit all SD-WAN Manager versions and identify any deployments running releases prior to 20.18.2.1.
  2. Review SD-WAN Manager audit logs for vshell session initiations, particularly from accounts with netadmin privilege and from source IP addresses not in the authorized management range.
  3. Monitor for file access patterns within vshell sessions that extend beyond expected administrative paths, such as reads against system credential stores, key material directories, or log aggregation paths.
  4. Correlate CVE-2026-20133 vshell access with CVE-2026-20128 DCA credential reads — the two vulnerabilities appear in the same advisory bundle and may be chained in exploitation campaigns.
  5. Follow CISA ED 26-03 Supplemental Direction hunt guidance for specific log queries and indicators tailored to Cisco SD-WAN infrastructure.
  6. Identify accounts with netadmin privilege on SD-WAN Manager that were created or modified in the window between the advisory publication (2026-02-25) and patching.

Indicators of Compromise

Log and session indicators:

  • vshell session initiation events in SD-WAN Manager audit logs from netadmin-privileged accounts outside authorized change windows
  • File access records within vshell sessions targeting OS-level paths beyond SD-WAN configuration directories
  • Netadmin-privileged authentication from source addresses not in the authorized management IP allowlist
  • Log entries showing sequential exploitation of DCA credential access (CVE-2026-20128) followed by elevated vshell access (CVE-2026-20133), consistent with chained use of the same advisory bundle

Network indicators:

  • Management-plane traffic to SD-WAN Manager from unexpected sources during the post-advisory, pre-patch window
  • Outbound connections from SD-WAN Manager hosts to IP addresses not associated with known controller or orchestrator peers

Disclosure Timeline

2026-02-25

Cisco published the security advisory cisco-sa-sdwan-authbp-qwCX8D4v disclosing CVE-2026-20133 alongside companion SD-WAN Manager vulnerabilities including CVE-2026-20128. Fixed releases were documented; Cisco Catalyst SD-WAN Manager 20.18.2.1 and later are not affected.

2026-04-20

CISA added CVE-2026-20133 to the Known Exploited Vulnerabilities catalog, confirming active exploitation. The required remediation deadline for FCEB agencies was set to 2026-04-23. CISA also issued Supplemental Direction ED 26-03 with hunt and hardening guidance for Cisco SD-WAN systems.

2026-04-22

The National Vulnerability Database updated the CVE-2026-20133 record to reflect the analyzed status and CISA KEV annotations.

Sources & References

ciscosd-waninformation-disclosurecwe-200cisa-kevnetwork-infrastructureed-26-03vshell