CVE-2026-20133

MediumCISA KEVActive ExploitationUpdated

Published: 25 February 2026

Published

25 February 2026

Modified

22 April 2026

KEV Added

20 April 2026

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0136 80.3th percentile

Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20133 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Cisco Catalyst Sd-Wan Manager. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked in the top 19.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Services File Permissions Weakness (T1574.010) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for file system access, directly addressing insufficient restrictions that allow netadmin users via vshell to read sensitive OS information.

AC-6 Least Privilege good match

prevent

Applies least privilege to limit netadmin access, preventing exploitation of vshell to reach sensitive files beyond necessary tasks.

CM-6 Configuration Settings good match

prevent

Requires secure configuration settings for file systems in the most restrictive mode consistent with operations, mitigating inadequate restrictions on sensitive data access.

MITRE ATT&CK Enterprise TechniquesAI

T1574.010 Services File Permissions Weakness Stealth

Adversaries may execute their own malicious payloads by hijacking the binaries used by services.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Vulnerability stems from insufficient file system restrictions (T1044), exploited via vshell (T1059.008, Network Device CLI) to read sensitive information from the local OS file system (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability in Cisco Catalyst SD-WAN Software could allow an unauthenticated, remote attacker to view sensitive information on an affected system. This vulnerability is due to insufficient file system restrictions. An authenticated attacker with netadmin privileges could exploit this vulnerability…

by accessing the vshell of an affected system. A successful exploit could allow the attacker to read sensitive information on the underlying operating system.

Deeper analysisAI

CVE-2026-20133 is a vulnerability in Cisco Catalyst SD-WAN Software stemming from insufficient file system restrictions. This issue affects the software running on impacted systems, potentially exposing sensitive information stored on the underlying operating system.

An authenticated attacker with netadmin privileges can exploit the vulnerability by accessing the vshell on an affected system. Successful exploitation allows the attacker to read sensitive information, with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflecting network accessibility, low privilege requirements, and high confidentiality impact (CWE-200: Exposure of Sensitive Information).

The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v details mitigation steps and patches. It is also listed in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20133, indicating real-world exploitation.

Details

CWE(s): CWE-200
KEV Date Added: 20 April 2026

Affected Products

cisco

catalyst sd-wan manager

20.12.6 · ≤ 20.9.8.2 · 20.10 — 20.12.5.3 · 20.13 — 20.15.4.2

CVEs Like This One

CVE-2026-20122Same product: Cisco Catalyst Sd-Wan Managerboth on KEV

CVE-2026-20128Same product: Cisco Catalyst Sd-Wan Managerboth on KEV

CVE-2026-20126Same product: Cisco Catalyst Sd-Wan Manager

CVE-2026-20129Same product: Cisco Catalyst Sd-Wan Manager

CVE-2026-20127Same product: Cisco Catalyst Sd-Wan Managerboth on KEV

CVE-2026-20182Same product: Cisco Catalyst Sd-Wan Managerboth on KEV

CVE-2025-20393Same vendor: Ciscoboth on KEV

CVE-2025-20333Same vendor: Ciscoboth on KEV

CVE-2026-20045Same vendor: Ciscoboth on KEV

CVE-2025-20362Same vendor: Ciscoboth on KEV

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
Vendor Advisory · psirt@cisco.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20133
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0