Back

CISA Warns of Active Exploitation of Cisco Catalyst SD-WAN Vulnerabilities

Severity: High (Score: 72.9)

Sources: nvd.nist.gov, Gbhackers, Heise.De

Summary

On April 20, 2026, CISA issued an urgent alert regarding the active exploitation of three critical vulnerabilities in Cisco Catalyst SD-WAN Manager, which is essential for managing enterprise-wide area networks. The vulnerabilities, identified as CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133, allow attackers to escalate privileges, exfiltrate sensitive data, and gain complete control over network management. Organizations must implement mitigations by April 23, 2026, or discontinue use of the affected product to safeguard their networks. The vulnerabilities have been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating confirmed exploitation in the wild. Additionally, CISA has highlighted ongoing attacks on other software, including Zimbra and TeamCity, but specific details on these attacks remain scarce. Security teams are advised to follow CISA's Emergency Directive 26-03 and review the Hunt and Hardening Guidance for Cisco SD-WAN Devices. The urgency of the situation is underscored by the tight remediation deadline and the potential for widespread impact on corporate environments. Key Points: • CISA confirmed active exploitation of three critical vulnerabilities in Cisco SD-WAN Manager. • Organizations must apply mitigations by April 23, 2026, or cease using the affected product. • The vulnerabilities allow attackers to escalate privileges and control network management systems.

Key Entities

  • Phishing (attack_type)
  • XSS (vulnerability)
  • Cisco (company)
  • CVE-2023-27351 (cve)
  • CVE-2024-27199 (cve)
  • CVE-2025-2749 (cve)
  • CVE-2025-32975 (cve)
  • CVE-2025-48700 (cve)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • CWE-22 - Path Traversal (cwe)
  • CWE-269 - Improper Privilege Management (cwe)
  • CWE-287 - Improper Authentication (cwe)
  • Cwe-79 - Cross-site Scripting (xss) (cwe)
  • T1566 - Phishing (mitre_attack)
  • T1567 - Exfiltration Over Web Service (mitre_attack)
  • ActiveMQ Broker (platform)
  • Apache ActiveMQ (platform)
  • BSD (platform)
  • Catalyst Sd-wan Manager (platform)
  • Cisco Catalyst Sd-wan Manager (platform)
  • VMware (tool)
  • Gentlemen (ransomware_group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed