Skip to content
Hermes Codex

CVE-2026-20133: Cisco Catalyst SD-WAN Manager Sensitive Information Disclosure Vulnerability

Executive Summary

Section titled “Executive Summary”

Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability. This vulnerability is due to insufficient file system restrictions in Cisco Catalyst SD-WAN Software. An authenticated attacker with netadmin privileges can exploit this vulnerability by accessing the vshell of an affected system. A successful exploit could allow the attacker to read sensitive information on the underlying operating system. This vulnerability is identified as CVE-2026-20133 and is included in the CISA Known Exploited Vulnerabilities (KEV) Catalog.

Vulnerability Details

Section titled “Vulnerability Details”
  • CVE ID: CVE-2026-20133
  • CVSS Score: 7.5 (NIST) / 6.5 (CNA)
  • CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • Root Cause: The vulnerability stems from insufficient file system restrictions within the Cisco Catalyst SD-WAN Software.
  • Affected Products: Cisco Catalyst SD-WAN Manager (refer to vendor advisory for detailed version mapping).

Attack Vector and Technical Analysis

Section titled “Attack Vector and Technical Analysis”

The exploit relies on authenticated access with netadmin privileges. By targeting the vshell endpoint, an adversary can bypass intended file system restrictions. This interaction facilitates unauthorized read access to system files, providing visibility into sensitive information residing on the underlying operating system. The nature of the vshell functionality on the device makes it a focal point for this vulnerability.

Mitigation and Detection

Section titled “Mitigation and Detection”

Immediate application of vendor-provided security patches is recommended. Organizations should monitor system access logs for anomalous interactions with the vshell endpoint, particularly by accounts holding netadmin privileges.

Detection Rules

Section titled “Detection Rules”
title: Cisco SD-WAN Manager vshell Unauthorized Access
status: experimental
description: Detects unauthorized or unusual access to the vshell endpoint on Cisco SD-WAN Manager.
logsource:
  product: cisco_sdwan
detection:
  selection:
    event_type: "vshell_access"
    user_privileges: "netadmin"
  condition: selection

References

Section titled “References”