CVE-2026-20133
Published: 25 February 2026
Summary
CVE-2026-20133 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Cisco Catalyst Sd-Wan Manager. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked in the top 4.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
A vulnerability in Cisco Catalyst SD-WAN Software stems from insufficient file system restrictions and is tracked as CVE-2026-20133. The flaw carries a CVSS 3.1 score of 6.5 and is categorized under CWE-200, exposing sensitive information on the underlying operating system when triggered.
An authenticated attacker holding netadmin privileges can exploit the issue remotely by accessing the vshell on an affected device, enabling read access to sensitive files without any user interaction. The attack requires low complexity once valid credentials are obtained.
The Cisco Security Advisory cisco-sa-sdwan-authbp-qwCX8D4v and the CISA Known Exploited Vulnerabilities catalog both reference the CVE, indicating that official mitigation guidance and patching information are available through those sources.
The vulnerability appears in CISA’s KEV catalog, confirming real-world exploitation activity. Its EPSS score has remained flat at a peak and current value of 0.0202, showing no material post-disclosure increase in observed exploitation probability.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8678
Vulnerability details
A vulnerability in Cisco Catalyst SD-WAN Software could allow an unauthenticated, remote attacker to view sensitive information on an affected system. This vulnerability is due to insufficient file system restrictions. An authenticated attacker with netadmin privileges could exploit this vulnerability…
more
by accessing the vshell of an affected system. A successful exploit could allow the attacker to read sensitive information on the underlying operating system.
- CWE(s)
- KEV Date Added
- 20 April 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability stems from insufficient file system restrictions (T1044), exploited via vshell (T1059.008, Network Device CLI) to read sensitive information from the local OS file system (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces file-system access restrictions that the CVE states are missing, blocking the netadmin vshell read of sensitive OS files.
Limits the scope of netadmin privileges so that vshell access cannot reach arbitrary sensitive files on the underlying OS.
Restricts or disables the vshell feature itself, eliminating the attack vector described in the CVE.