Cisco SD-WAN Manager: 3 CVEs Chain to Full Credential Theft — CISA Deadline Was Today
Three CVEs in Cisco Catalyst SD-WAN Manager are being actively chained by a sophisticated threat actor to steal network credentials, exfiltrate private keys, and plant persistent webshells on enterprise SD-WAN infrastructure — all without requiring authentication on the initial attack step. The Cisco SD-WAN Manager CVE-2026-20133 vulnerability, a path traversal flaw rated CVSS 7.5, is the entry point: an unauthenticated attacker sends crafted HTTP GET requests to traverse the file system and read sensitive files including configuration data, credential stores, and private keys. With those stolen credentials, the chain escalates through CVE-2026-20128 (CVSS 7.5, passwords stored in recoverable format) and CVE-2026-20122 (CVSS 5.4, malicious file upload), culminating in a deployed webshell that persists through normal operations.
CISA added all three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog between April 20 and April 22, 2026. The federal remediation deadline for the Cisco SD-WAN Manager vulnerability cluster was today, April 23, 2026, for Federal Civilian Executive Branch agencies under CISA Emergency Directive 26-03. For the broader enterprise market, a CISA KEV deadline is an unambiguous signal: exploitation is confirmed in the wild, the attack chain is documented and reproducible, and unpatched systems are active targets right now.
The confirmed threat actor, UAT-8616, has been tracked by Cisco Talos since 2023 and is described as 'a highly sophisticated cyber threat actor.' The Australian Signals Directorate and Five Eyes intelligence partners issued joint threat hunting guidance in response to the campaign. Internet scanning services identify between 450 and 550 Cisco Catalyst SD-WAN Manager instances currently reachable from the public internet — each representing a potential entry point into every enterprise branch site it manages. The blast radius is not a single server: it is the entire managed network. For any organisation running Cisco Catalyst SD-WAN Manager with a public-facing management interface, this advisory requires immediate action today.
How the 3-CVE Cisco SD-WAN Attack Chain Achieves Credential Theft
The attack sequence targeting Cisco Catalyst SD-WAN Manager follows a documented three-stage chain that progresses from unauthenticated information disclosure to persistent access with elevated network privileges. Security researchers at VulnCheck and the zerozenxlabs team published proof-of-concept exploit code demonstrating the chain functions reliably against unpatched systems.
Cisco Talos confirmed active exploitation of CVE-2026-20122 and CVE-2026-20128 beginning February 25, 2026. A functional exploit for the related critical authentication bypass CVE-2026-20127 (CVSS 10.0) was published on March 11, 2026, further expanding the public exploit ecosystem around this vulnerability cluster. The three stages below represent the documented attack path for which CISA has confirmed exploitation evidence and issued a federal emergency directive.
CVE-2026-20133 — Unauthenticated Path Traversal
Attacker sends crafted HTTP GET requests to the vManage API with path traversal sequences (e.g. /api/v1/../../../../etc/passwd). No credentials required. Returns system credentials, private keys, config files, and logs containing authentication material.
CVE-2026-20128 — Credential Recovery and Privilege Escalation
Using stolen credentials from stage one, attacker exploits recoverable password storage format to escalate from standard account to DCA (data centre appliance) user level, gaining elevated access across the SD-WAN fabric.
CVE-2026-20122 — Malicious File Upload for Persistent Webshell
Exploiting improper file handling in the API, attacker uploads a malicious file to the SD-WAN Manager filesystem, granting vmanage user privileges and deploying a persistent webshell that survives routine operations and reboots.
What Attackers Can Read Without Authentication: Credentials, Keys, and Network Maps
The impact of CVE-2026-20133 extends far beyond reading a single file. The path traversal flaw allows unauthenticated traversal of any portion of the file system accessible from the API process security context. In documented exploitation, attackers systematically exfiltrate multiple categories of highly sensitive material.
System configuration files describe the complete network topology, routing policies, and device relationships across the entire managed SD-WAN fabric. For enterprises using Cisco Catalyst SD-WAN to manage branch connectivity, this exposes complete network architecture to an unauthenticated attacker before a single login attempt is made.
Credential stores and authentication material — including passwords stored in recoverable format that CVE-2026-20128 subsequently exploits — are readable via path traversal. Private keys used for device authentication and encrypted SD-WAN tunnel communications are also reachable. Application and system logs frequently contain authentication tokens, session identifiers, and API keys from automated provisioning workflows, representing an additional layer of credential material.
For nation-state actors like UAT-8616, this reconnaissance intelligence — network topology, credential inventory, private keys — is the primary objective. It enables persistent, stealthy access across every managed site simultaneously without triggering alerts associated with brute force or phishing.
UAT-8616: The Sophisticated Threat Actor Targeting Cisco SD-WAN Infrastructure
The confirmed threat actor in active Cisco SD-WAN Manager exploitation is UAT-8616, a group Cisco Talos describes as 'a highly sophisticated cyber threat actor' whose documented activity against SD-WAN infrastructure dates to 2023. Cisco's February 25, 2026 advisory named the group explicitly — unusual for vendor advisories that typically avoid attribution. The Australian Signals Directorate, coordinating as part of a Five Eyes joint advisory, issued threat hunting guidance specifically addressing UAT-8616 TTPs against Cisco SD-WAN Manager targets.
UAT-8616's operational pattern is characteristic of an advanced persistent threat actor with strategic intelligence objectives rather than ransomware monetisation. The group's multi-year focus on SD-WAN management infrastructure — rather than endpoints or perimeter systems — indicates deliberate targeting of the network control plane governing enterprise connectivity. Compromising the SD-WAN Manager provides simultaneous persistent access across all managed branch sites without requiring separate exploitation of each location. This is the hallmark of a nation-state-level actor seeking durable network presence.
In the confirmed victim environment documented by Huntress, SD-WAN Manager compromise was accompanied by 'suspicious FortiGate SSL VPN access tied to the compromised environment, including a source IP geolocated to Russia' — indicating the SD-WAN intrusion was part of a broader multi-vector network access campaign. This combination of CVE-2026-20133 credential theft followed by VPN abuse is consistent with UAT-8616's documented interest in establishing redundant network persistence. Defenders who patch SD-WAN Manager should simultaneously audit VPN access logs for anomalous login activity from the same credential sets.
“A vulnerability in Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to access sensitive information on an affected system. This vulnerability is due to insufficient file system access restrictions. CISA has confirmed evidence of active exploitation.”
— CISA Known Exploited Vulnerabilities Catalog — CVE-2026-20133 entry, April 22, 2026
500+ Internet-Exposed SD-WAN Manager Instances: Mapping the Real Attack Surface
CVE-2026-20133 requires nothing beyond a network path to the Cisco Catalyst SD-WAN Manager web interface — no credentials, no user interaction, no local access. This makes the internet-facing exposure of SD-WAN Manager instances directly meaningful as an attack surface metric, and the numbers paint a sobering picture.
Internet scanning services report 450–550 Cisco Catalyst SD-WAN Manager instances accessible from the public internet via Shodan and Censys. FOFA, which scans more extensively across Asian network regions, returns over 1,000 matches for the same service fingerprint. SD-WAN Manager deployments are concentrated in industries relying on branch connectivity: financial services, healthcare, retail, manufacturing, and government — all high-value targets for both nation-state and ransomware threat actors.
Critically, each internet-exposed SD-WAN Manager instance represents not just a single server compromise risk — it represents administrative control over every managed site in the SD-WAN fabric. A single SD-WAN Manager may govern connectivity for dozens or hundreds of branch locations. The blast radius of CVE-2026-20133 exploitation is the entire managed network, not a single host.
This same attack surface pattern drove our coverage of the [FortiClient EMS CVE-2026-35616](/blog/forticlient-ems-cve-2026-35616-weekly-roundup) zero-day and the [April 2026 Patch Tuesday advisory](/blog/patch-tuesday-april-2026) — network security appliances with internet-facing management interfaces consistently represent the highest-value, highest-blast-radius entry points in enterprise environments. Organisations that have not restricted SD-WAN Manager access to trusted management networks are operating with full network architecture credentials sitting on the public internet.
Detecting CVE-2026-20133 Exploitation: Log Patterns and Hunt Queries
CVE-2026-20133 exploitation leaves identifiable patterns in Cisco SD-WAN Manager API access logs. The core technique — path traversal via crafted HTTP GET requests — generates anomalous log entries that differ from legitimate API usage in several measurable ways. Security operations teams should implement the following detection queries against vManage access logs as a priority.
The primary hunting indicator is HTTP GET requests to API endpoints containing traversal sequences. Legitimate vManage API calls operate within a defined path namespace and never traverse upward in the file system. Any request containing '../', '..%2F', or URL-encoded equivalents ('%2E%2E%2F') against an API endpoint should be treated as a confirmed exploitation attempt and escalated immediately. Monitor for successful 200 OK responses to such requests — a 403 or 404 indicates the traversal failed, but a 200 confirms successful unauthorised file system access.
Secondary indicators include: new authenticated sessions appearing within minutes of anomalous GET requests, indicating successful credential theft and immediate use in stage two; unexpected file creation events in the SD-WAN Manager filesystem, indicating webshell deployment via CVE-2026-20122; and anomalous outbound connections from the SD-WAN Manager host to external IPs following the exploitation pattern.
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| HTTP GET /api/v1/../../../../etc/passwd | Path Traversal Attempt | CVE-2026-20133 exploitation indicator — unauthenticated API path traversal to /etc/passwd, 200 OK response confirms success |
| HTTP GET /api/v1/../../../../etc/shadow | Credential File Access | CVE-2026-20133 — attacker reading shadow password file without authentication |
| HTTP GET /api/v1/../../../opt/viptela/data/etc/conf/ | Config Directory Traversal | Access to viptela configuration directory — contains network topology, device credentials, and routing policy |
| POST /api/v1/[file-endpoint] multipart/form-data binary payload | Webshell Upload Attempt | CVE-2026-20122 stage — malicious file upload to vManage filesystem for persistent post-exploitation access |
| New authenticated vManage session from non-management IP within 5 minutes of traversal events | Post-Exploitation Session | Indicates successful credential theft and reuse — stage two of the documented attack chain |
| FortiGate SSL VPN login from Russia-geolocated IP concurrent with vManage exploitation | UAT-8616 TTP | Documented in confirmed UAT-8616 victim environment — cross-correlate vManage and VPN access logs |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation: Patch Versions, API Lockdown, and Credential Rotation
Remediation requires both immediate patching and network-level hardening to eliminate the internet-facing exposure that makes CVE-2026-20133 exploitable without credentials. Patching alone does not address the misconfiguration that placed SD-WAN Manager interfaces on the public internet in the first place. Both actions are required to close the attack surface.
Apply Cisco patches immediately — upgrade to a fixed version
Fixed releases for Cisco Catalyst SD-WAN Manager: 20.9.8.2, 20.12.5.3, 20.15.4.2, or 20.18.2.1. Upgrade to the closest fixed release for your current version branch. Organisations running end-of-life versions below 20.9 should treat migration to a supported branch as a critical security action. Apply temporary mitigations below while upgrade is in progress.
Restrict SD-WAN Manager to trusted management networks via firewall ACL
Cisco SD-WAN Manager should never be accessible from the public internet. Implement firewall ACLs or security groups restricting vManage web interface access (TCP 443/8443) to known management IP ranges only — jump servers, management VLANs, or VPN-connected administrator workstations. Any SD-WAN Manager instance reachable from 0.0.0.0/0 should be treated as actively targeted and isolated until hardened.
Disable unnecessary API endpoints and enforce API authentication controls
Review the SD-WAN Manager API configuration and disable endpoints not required for operational use. Enable API authentication at all layers. For environments requiring API access from external systems, implement API key rotation and restrict access to specific source IPs via vManage API access control settings. Log all API access with full request path logging enabled.
Rotate all credentials stored in or accessible from SD-WAN Manager
If exploitation is confirmed or cannot be ruled out, assume all credentials accessible via the vManage file system are compromised. This includes vManage administrative accounts, device authentication credentials, API keys in configuration or logs, and VPN credentials. The FortiGate VPN abuse pattern in UAT-8616 victim environments indicates credential reuse from stolen SD-WAN Manager material — rotate SD-WAN and VPN credentials simultaneously.
Audit access logs for path traversal IOCs
Review API access logs for HTTP GET requests containing '../', '..%2F', or '%2E%2E%2F' against API endpoints. Capture the complete list of files accessed in any identified traversal sequences. If traversal events are present in logs, escalate to a full incident response process — credential rotation alone is insufficient when the scope of data exfiltration is unknown.
Follow CISA Emergency Directive 26-03 and Five Eyes hunt guidance
CISA Emergency Directive 26-03 provides technical context and compliance requirements for federal agencies, and its technical guidance applies equally to private-sector organisations. The Five Eyes joint advisory from the Australian Signals Directorate contains additional TTP documentation and detection recommendations specific to UAT-8616 campaigns. Both documents should be distributed to network security and SOC teams immediately.
The bottom line
Three CVEs in Cisco Catalyst SD-WAN Manager form a documented, weaponized attack chain that any unauthenticated attacker can initiate against the 500+ management interfaces currently reachable from the public internet. Cisco SD-WAN Manager CVE-2026-20133 is the entry point: it requires no credentials and exposes credentials, private keys, and full network topology before the attacker logs in once. UAT-8616 has been operationalising this access since 2023, and CISA set today as the federal remediation deadline. If your SD-WAN Manager is internet-reachable, patch immediately to a fixed version, restrict management access to trusted IP ranges, and rotate all credentials accessible from the vManage filesystem.
Frequently asked questions
What is CVE-2026-20133 in Cisco SD-WAN Manager?
CVE-2026-20133 is a CVSS 7.5 information disclosure vulnerability in Cisco Catalyst SD-WAN Manager stemming from insufficient file system access restrictions in its API. Unauthenticated remote attackers can send crafted HTTP GET requests with path traversal sequences to read sensitive files including system credentials, private keys, and network configuration data — all without supplying any login credentials. CISA added it to its Known Exploited Vulnerabilities catalog on April 22, 2026.
How does the Cisco SD-WAN Manager 3-CVE attack chain work?
The attack proceeds in three stages. Stage one: CVE-2026-20133 is used unauthenticated to traverse the file system and extract stored credentials and private keys. Stage two: stolen credentials enable CVE-2026-20128 exploitation, recovering passwords stored in recoverable format to escalate to DCA user level. Stage three: CVE-2026-20122 allows a malicious file upload granting vmanage privileges and deploying a persistent webshell. VulnCheck published proof-of-concept code confirming this chain is reliably reproducible.
Which Cisco SD-WAN Manager versions are vulnerable?
Versions up to and including 20.18 of Cisco Catalyst SD-WAN Manager are affected by CVE-2026-20133. Fixed versions are 20.9.8.2, 20.12.5.3, 20.15.4.2, and 20.18.2.1. Cisco recommends upgrading to the nearest fixed release for your current version branch. Organisations still running end-of-life branches below 20.9 should treat this upgrade as a critical security action given active exploitation.
Is my Cisco SD-WAN Manager exposed to the internet?
Internet scanning services including Shodan and Censys identify 450–550 Cisco Catalyst SD-WAN Manager instances reachable from the public internet. FOFA returns over 1,000 matches globally. SD-WAN Manager should never be accessible from untrusted networks — CISA recommends restricting access to known management IP ranges via firewall ACLs. Check your exposure by querying your ASN on Shodan for the vManage service fingerprint on TCP 8443 or 443.
What credentials and files can attackers steal using CVE-2026-20133?
Successful exploitation allows reading any file accessible from the SD-WAN Manager API process context. In practice this includes: system /etc/passwd and shadow files, vManage stored passwords, private keys used for device mutual authentication and encrypted tunnels, network topology configuration files revealing full branch architecture, and application logs containing session tokens and API keys from automated provisioning workflows. No login is required to access any of this material.
Who is UAT-8616 and are they behind this exploitation?
UAT-8616 is a sophisticated threat actor tracked by Cisco Talos whose documented activity against Cisco SD-WAN infrastructure dates to 2023. The group was named in Cisco's February 25, 2026 advisory confirming active exploitation. The Australian Signals Directorate and Five Eyes partners issued joint threat hunting guidance specifically addressing UAT-8616 TTPs. Post-exploitation activity in confirmed victim environments included FortiGate SSL VPN abuse from source IPs geolocated to Russia.
How do I detect CVE-2026-20133 exploitation in SD-WAN Manager logs?
Hunt for HTTP GET requests to vManage API endpoints containing path traversal sequences such as '../', '..%2F', or '%2E%2E%2F'. Monitor for 200 OK responses to such requests — legitimate API calls never traverse above the API root. Check for access to paths such as /api/v1/../../../../etc/ or /api/v1/../../../opt/viptela/. Correlate with unexpected authenticated sessions appearing minutes later, indicating successful credential theft in stage two of the chain.
What is the CISA deadline for patching CVE-2026-20133?
CISA added CVE-2026-20133 to its KEV catalog on April 22, 2026 with a federal remediation deadline of May 7, 2026. The broader cluster of three Cisco SD-WAN CVEs (CVE-2026-20122, CVE-2026-20128, CVE-2026-20133) was added to KEV on April 20 with a deadline of April 23, 2026 — today. Private-sector organisations are not legally bound by CISA deadlines but should treat them as the outer boundary of acceptable patch lag given confirmed in-the-wild exploitation.
Sources & references
- CISA — Known Exploited Vulnerabilities Catalog (April 20–22, 2026 additions)
- BleepingComputer — CISA flags new SD-WAN flaw as actively exploited in attacks
- Help Net Security — CISA flags another Cisco Catalyst SD-WAN Manager bug as exploited (CVE-2026-20133)
- VulnCheck Blog — Herding Cats: Recent Cisco SD-WAN Manager Vulnerabilities
- CybersecurityNews — CISA Warns of Cisco Catalyst SD-WAN Manager Vulnerabilities Exploited in Attacks
- DailyCVE — CVE-2026-20133 Cisco Catalyst SD-WAN Manager Information Disclosure
- Cisco Security Advisory — Cisco Catalyst SD-WAN Vulnerabilities
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities — CVSS scores, exploit status, and patch availability. The reference card your SOC team needs, free with your newsletter subscription.
No spam. Unsubscribe anytime.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.