**CISA** has given government agencies a four-day deadline to secure their systems against **CVE-2026-20133**, a **Catalyst SD-WAN Manager** vulnerability. Catalyst SD-WAN Manager (formerly known as vManage) is network management software designed to monitor and manage up to 6,000 Catalyst SD-WAN devices from a single dashboard. Cisco patched this information disclosure vulnerability (**CVE-2026-20133**) in late February, stating that it allows unauthenticated remote attackers to access sensitive information on unpatched devices. "This vulnerability is due to insufficient file system access restrictions. An attacker could exploit this vulnerability by accessing the API of an affected system," **Cisco** stated. "A successful exploit could allow the attacker to read sensitive information on the underlying operating system." One week later, the company revealed that two other security flaws patched on the same day (**CVE-2026-20128** and **CVE-2026-20122**) were also being exploited in the wild. ## Federal Agencies Ordered to Patch by Friday On Monday, **CISA** added **CVE-2026-20133** to its Known Exploited Vulnerabilities (KEV) Catalog, citing "evidence of active exploitation." Federal Civilian Executive Branch (FCEB) agencies have been ordered to secure their networks by Friday, April 24. "Please adhere to CISA's guidelines to assess exposure and mitigate risks associated with **Cisco** SD-WAN devices as outlined in CISA's Emergency Directive 26-03 and CISA's Hunt & Hardening Guidance for Cisco SD-WAN Devices," CISA stated. "Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available." **Cisco** has yet to confirm **CISA's** report of active exploitation. Their security advisory still indicates that the Product Security Incident Response Team (PSIRT) is "not aware of any public announcements or malicious use of the vulnerabilities that are described in **CVE-2026-20133**." In February, **Cisco** also flagged a critical authentication bypass vulnerability (**CVE-2026-20127**) as exploited in zero-day attacks, enabling threat actors to add malicious rogue peers to targeted networks since at least 2023. More recently, in early March, the company released security updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software, which could allow attackers to gain root access and execute arbitrary Java code with root privileges. Over the last several years, **CISA** has tagged 91 **Cisco** vulnerabilities as exploited in the wild, six of which have been used by various ransomware operations.