CVE-2026-20133

MediumCISA KEVActive Exploitation

Published: 25 February 2026

Published

25 February 2026

Modified

22 April 2026

KEV Added

20 April 2026

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0127 79.6th percentile

Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability in Cisco Catalyst SD-WAN Software could allow an unauthenticated, remote attacker to view sensitive information on an affected system. This vulnerability is due to insufficient file system restrictions. An authenticated attacker with netadmin privileges could exploit this vulnerability…

by accessing the vshell of an affected system. A successful exploit could allow the attacker to read sensitive information on the underlying operating system.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for file system access, directly addressing insufficient restrictions that allow netadmin users via vshell to read sensitive OS information.

AC-6 Least Privilege good match

prevent

Applies least privilege to limit netadmin access, preventing exploitation of vshell to reach sensitive files beyond necessary tasks.

CM-6 Configuration Settings good match

prevent

Requires secure configuration settings for file systems in the most restrictive mode consistent with operations, mitigating inadequate restrictions on sensitive data access.

Security SummaryAI

CVE-2026-20133 is a vulnerability in Cisco Catalyst SD-WAN Software stemming from insufficient file system restrictions. This issue affects the software running on impacted systems, potentially exposing sensitive information stored on the underlying operating system.

An authenticated attacker with netadmin privileges can exploit the vulnerability by accessing the vshell on an affected system. Successful exploitation allows the attacker to read sensitive information, with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflecting network accessibility, low privilege requirements, and high confidentiality impact (CWE-200: Exposure of Sensitive Information).

The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v details mitigation steps and patches. It is also listed in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20133, indicating real-world exploitation.

Details

CWE(s): CWE-200
KEV Date Added: 20 April 2026

Affected Products

cisco

catalyst sd-wan manager

20.12.6 · ≤ 20.9.8.2 · 20.10 — 20.12.5.3 · 20.13 — 20.15.4.2

MITRE ATT&CK Enterprise TechniquesAI

T1574.010 Services File Permissions Weakness Stealth

Adversaries may execute their own malicious payloads by hijacking the binaries used by services.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1059.008 Network Device CLI Execution

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.

attack.mitre.org →

Why these techniques?

Vulnerability stems from insufficient file system restrictions (T1044), exploited via vshell (T1059.008, Network Device CLI) to read sensitive information from the local OS file system (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
Vendor Advisory · psirt@cisco.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20133
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0