Vulnerabilities ›

CVE-2026-20133

Critical 🇺🇸 CISA KEV

                    Published: Apr 20, 2026                                          ·  Source: CISA_KEV                

CVSS v3

9.8

🔗 NVD Official

📄 Description (English)

Cisco Catalyst SD-WAN Manager — CVE-2026-20133
Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems.

Required Action: Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
Due Date: 2026-04-23

🤖 AI Executive Summary

Cisco Catalyst SD-WAN Manager contains a critical vulnerability (CVSS 9.8) allowing remote attackers to access sensitive information without authentication. This poses an immediate threat to Saudi organizations relying on SD-WAN for enterprise network connectivity. No patch is currently available, requiring immediate implementation of compensating controls and network segmentation.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 21, 2026 02:48

🇸🇦 Saudi Arabia Impact Assessment

Critical impact on Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), and large enterprises using Cisco SD-WAN for WAN optimization. ARAMCO, STC, and other critical infrastructure operators managing multi-site connectivity are at high risk. Exposure of sensitive network configuration, authentication credentials, and operational data could enable lateral movement and supply chain attacks. Government entities and financial institutions face regulatory compliance violations under SAMA CSF and NCA ECC 2024.

🏢 Affected Saudi Sectors

Banking and Financial Services (SAMA-regulated) Government and Public Administration (NCA oversight) Telecommunications (STC, Mobily, Zain) Energy and Utilities (ARAMCO, SEC) Healthcare (MOH, private hospitals) Large Enterprises with Multi-site WAN Critical Infrastructure Operators

🎯 MITRE ATT&CK Techniques

T1526 — Exposure of Sensitive Information T1592 — Gather Victim Identity Information T1589 — Gather Victim Identity Information (credentials) T1190 — Exploit Public-Facing Application T1133 — External Remote Services T1040 — Network Sniffing T1557 — Man-in-the-Middle T1021 — Remote Services (lateral movement post-compromise)

⚖️ Saudi Risk Score (AI)

9.6

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Inventory all Cisco Catalyst SD-WAN Manager instances across your organization

2. Isolate SD-WAN Manager from untrusted networks immediately — restrict access to authorized administrative networks only

3. Implement network segmentation: place SD-WAN Manager behind firewall with strict ingress/egress rules

4. Enable MFA on all SD-WAN Manager administrative accounts

5. Review access logs for unauthorized access attempts (check for suspicious IP addresses, especially external sources)

6. Disable remote management capabilities if not operationally critical

COMPENSATING CONTROLS:

7. Deploy WAF/IPS rules to detect and block exploitation attempts targeting SD-WAN Manager API endpoints

8. Implement VPN requirement for all administrative access to SD-WAN Manager

9. Monitor for suspicious API calls and data exfiltration patterns

10. Conduct forensic analysis if any unauthorized access is detected

PATCHING GUIDANCE:

11. Monitor Cisco security advisories daily for patch availability (expected by 2026-04-23)

12. Prepare patch testing environment immediately upon patch release

13. Establish expedited patching timeline (within 48 hours of patch availability for critical systems)

DETECTION RULES:

14. Monitor for HTTP/HTTPS requests to SD-WAN Manager from non-whitelisted IPs

15. Alert on failed authentication attempts followed by successful access

16. Track API calls accessing sensitive configuration or credential data

17. Monitor for unusual data volume transfers from SD-WAN Manager

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. قم بحصر جميع مثيلات Cisco Catalyst SD-WAN Manager عبر المنظمة

2. عزل SD-WAN Manager عن الشبكات غير الموثوقة فوراً — قيد الوصول على الشبكات الإدارية المصرح بها فقط

3. تنفيذ تقسيم الشبكة: ضع SD-WAN Manager خلف جدار حماية بقواعد صارمة للدخول والخروج

4. تفعيل المصادقة متعددة العوامل على جميع حسابات إدارة SD-WAN Manager

5. مراجعة سجلات الوصول للكشف عن محاولات الوصول غير المصرح بها

6. تعطيل إمكانيات الإدارة البعيدة إذا لم تكن ضرورية تشغيلياً

الضوابط البديلة:

7. نشر قواعد WAF/IPS للكشف عن محاولات الاستغلال

8. تطبيق متطلبات VPN لجميع الوصول الإداري

9. مراقبة استدعاءات API المريبة وأنماط تسرب البيانات

10. إجراء تحليل جنائي في حالة اكتشاف وصول غير مصرح به

إرشادات التصحيح:

11. مراقبة استشارات أمان Cisco يومياً للحصول على التحديثات

12. تحضير بيئة اختبار التصحيح فوراً عند توفر التحديث

13. إنشاء جدول زمني معجل للتصحيح (خلال 48 ساعة من توفر التحديث)

قواعد الكشف:

14. مراقبة طلبات HTTP/HTTPS إلى SD-WAN Manager من عناوين IP غير مدرجة في القائمة البيضاء

15. تنبيهات محاولات المصادقة الفاشلة متبوعة بالوصول الناجح

16. تتبع استدعاءات API التي تصل إلى البيانات الحساسة

17. مراقبة حجم البيانات غير العادي المنقول من SD-WAN Manager

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 — Access Control Policies (unauthorized information disclosure) ECC 2024 A.8.1.1 — Asset Management (inventory and protection of critical systems) ECC 2024 A.12.4.1 — Logging and Monitoring (detection of unauthorized access) ECC 2024 A.13.1.1 — Network Security (network segmentation and access controls)

🔵 SAMA CSF

SAMA CSF ID.AM-2 — Asset Management (identify and manage SD-WAN infrastructure) SAMA CSF PR.AC-1 — Access Control (limit access to authorized personnel) SAMA CSF PR.AC-4 — Access Control (multi-factor authentication) SAMA CSF DE.AE-1 — Detection (anomaly detection for unauthorized access) SAMA CSF RS.MI-2 — Response (mitigate impact of information disclosure)

🟡 ISO 27001:2022

ISO 27001:2022 A.5.3 — Segregation of duties ISO 27001:2022 A.8.1 — User endpoint devices ISO 27001:2022 A.8.2 — Privileged access rights ISO 27001:2022 A.8.3 — Information access restriction ISO 27001:2022 A.12.4 — Logging ISO 27001:2022 A.13.1 — Network security

🟣 PCI DSS v4.0

PCI DSS 1.1 — Firewall configuration standards PCI DSS 2.1 — Change default passwords PCI DSS 7.1 — Limit access to cardholder data PCI DSS 8.1 — User identification and authentication PCI DSS 10.2 — Logging and monitoring

🔗 References & Sources 0

No references.

📊 CVSS Score

9.8

/ 10.0 — Critical

📋 Quick Facts

Severity Critical

CVSS Score9.8

EPSS0.07%

Exploit No

Patch ✗ No

CISA KEV🇺🇸 Yes

Published 2026-04-20

Source Feed cisa_kev

🇸🇦 Saudi Risk Score

9.6

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

kev cisa exploit-known

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-20133

Introduce Yourself

Sign In Required