CISA added eight vulnerabilities to its KEV catalog on Monday Apr. 20, three of which affect Cisco Catalyst SD-WAN Manager.
The three bugs, CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133, cover arbitrary file overwrite, recoverable password storage in the Data Collection Agent, and an information disclosure flaw that can expose sensitive data to unauthorized users.
CVE-2026-20133 sits in the medium-severity band at CVSS 6.5, while CVE-2026-20122 is rated high at 7.1. All three affect a platform already under sustained active attack.
Federal Civilian Executive Branch agencies have been given until Apr. 23, 2026, to remediate the Cisco issues, with the remaining five bugs due by May 4. Cisco patched all three flaws in late February alongside a separate advisory, but evidence of in-the-wild abuse has been identified after this date..
The new KEV listings extend a campaign that began in earnest two months ago. In February, Cisco disclosed CVE-2026-20127, a CVSS 10.0 authentication bypass in SD-WAN Controller and Manager that a threat cluster tracked by Cisco Talos as UAT-8616 had been exploiting since at least 2023.
The attackers used it as a zero-day and chained it with the older CVE-2022-20775, reportedly downgrading software on compromised appliances to climb to root before restoring the original version to hide their tracks inside federal and critical infrastructure networks.
Exploitation Traces Back Three Years
For context, Cisco Talos, in a writeup of the intrusion set published in February, said UAT-8616’s activity “indicates a continuing trend of the targeting of network edge devices by cyber threat actors looking to establish persistent footholds into high value organizations including Critical Infrastructure (CI) sectors.”
By early March, independent researchers were tracking a sharp rise in attack traffic against exposed SD-WAN systems. Web shells turned up on vulnerable instances, and exploitation attempts came from a broad range of IP addresses across several regions.
CISA’s Emergency Directive 26-03, also issued in February, required federal agencies to inventory and assess every in-scope system for indicators of compromise, not simply apply the patch and move on.
Most of the newly KEV-listed bugs need authentication, making them better suited to deepening a foothold than breaking one in.
Paired with CVE-2026-20127, which hands attackers unauthenticated administrative access, the bundle gives intruders a path from the internet edge to file manipulation, credential recovery, and management-plane data.
Cisco has urged customers to upgrade to fixed releases, rather than lean on partial workarounds, since no full mitigations exist for affected deployments.
