Cyber Resilience

CVE-2026-20133

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 25 February 2026

Published
25 February 2026
Modified
22 April 2026
KEV Added
20 April 2026
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.1024 95.1th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-20133 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Cisco Catalyst Sd-Wan Manager. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked in the top 4.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

A vulnerability in Cisco Catalyst SD-WAN Software stems from insufficient file system restrictions and is tracked as CVE-2026-20133. The flaw carries a CVSS 3.1 score of 6.5 and is categorized under CWE-200, exposing sensitive information on the underlying operating system when triggered.

An authenticated attacker holding netadmin privileges can exploit the issue remotely by accessing the vshell on an affected device, enabling read access to sensitive files without any user interaction. The attack requires low complexity once valid credentials are obtained.

The Cisco Security Advisory cisco-sa-sdwan-authbp-qwCX8D4v and the CISA Known Exploited Vulnerabilities catalog both reference the CVE, indicating that official mitigation guidance and patching information are available through those sources.

The vulnerability appears in CISA’s KEV catalog, confirming real-world exploitation activity. Its EPSS score has remained flat at a peak and current value of 0.0202, showing no material post-disclosure increase in observed exploitation probability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in Cisco Catalyst SD-WAN Software could allow an unauthenticated, remote attacker to view sensitive information on an affected system. This vulnerability is due to insufficient file system restrictions. An authenticated attacker with netadmin privileges could exploit this vulnerability…

more

by accessing the vshell of an affected system. A successful exploit could allow the attacker to read sensitive information on the underlying operating system.

CWE(s)
KEV Date Added
20 April 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.010 Services File Permissions Weakness Stealth
Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Vulnerability stems from insufficient file system restrictions (T1044), exploited via vshell (T1059.008, Network Device CLI) to read sensitive information from the local OS file system (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20122Same product: Cisco Catalyst Sd-Wan Managerboth on KEV
CVE-2026-20128Same product: Cisco Catalyst Sd-Wan Managerboth on KEV
CVE-2026-20182Same product: Cisco Catalyst Sd-Wan Managerboth on KEV
CVE-2026-20126Same product: Cisco Catalyst Sd-Wan Manager
CVE-2026-20129Same product: Cisco Catalyst Sd-Wan Manager
CVE-2026-20127Same product: Cisco Catalyst Sd-Wan Managerboth on KEV
CVE-2025-20333Same vendor: Ciscoboth on KEV
CVE-2025-20393Same vendor: Ciscoboth on KEV
CVE-2026-20230Same vendor: Ciscoboth on KEV
CVE-2025-20352Same vendor: Ciscoboth on KEV

Affected Assets

cisco
catalyst sd-wan manager
20.12.6 · ≤ 20.9.8.2 · 20.10 — 20.12.5.3 · 20.13 — 20.15.4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces file-system access restrictions that the CVE states are missing, blocking the netadmin vshell read of sensitive OS files.

prevent

Limits the scope of netadmin privileges so that vshell access cannot reach arbitrary sensitive files on the underlying OS.

prevent

Restricts or disables the vshell feature itself, eliminating the attack vector described in the CVE.

References