Cisco Catalyst SD-WAN Manager Joined CISA KEV With Four CVEs On The Same Day. Chain Them And You Go From Anonymous HTTP Request To Owning Every Router In The Fabric.

CISA added four Cisco Catalyst SD-WAN Manager vulnerabilities to the Known Exploited Vulnerabilities catalog on May 13, 2026. A fifth, CVE-2026-20127, applies to both the SD-WAN Manager (formerly vManage) and the SD-WAN Controller (formerly vSmart). All five landed in the same drop. CISA gates KEV entries on credible exploitation evidence.

This is a long-form analysis because the chain matters more than any individual CVE, and because the SD-WAN Manager is the central control plane for the entire SD-WAN fabric — compromising it is not "a host compromise." It is a fleet compromise. Every WAN-edge router in the deployment talks to the Manager. Owning the Manager owns the fabric.

We have no prior coverage of these five CVE identifiers in the DugganUSA archive. That gap closes today.

The cluster

CVE-2026-20127. Cisco Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage). Authentication bypass. An unauthenticated remote attacker bypasses authentication entirely and obtains administrative privileges on the affected system. Per CISA's own description, the bug is that "the peering authentication mechanism in an affected system is not working properly." Crafted requests are sufficient. This is the front door, unlocked.

CVE-2026-20122. Cisco Catalyst SD-WAN Manager. Incorrect use of privileged APIs. An authenticated attacker uploads a malicious file via the API, the Manager's improper file handling lets the upload overwrite arbitrary files on the system, and the attacker ends up with vmanage user privileges. The "authenticated" requirement is satisfied trivially if CVE-2026-20127 is in the chain — the auth bypass gives you the admin context the file upload needs.

CVE-2026-20133. Cisco Catalyst SD-WAN Manager. Exposure of sensitive information to an unauthorized actor. Remote attackers view sensitive information on affected systems. Pre-auth disclosure of operational data — likely device-onboarding state, certificate fingerprints, fabric topology. The disclosure is interesting on its own and a perfect reconnaissance tool when paired with the auth bypass.

CVE-2026-20128. Cisco Catalyst SD-WAN Manager. Storing passwords in a recoverable format. An authenticated local attacker reads the credential file for the DCA user from the filesystem and recovers the cleartext (or reversibly-encoded) password. DCA is the device collection agent — the service identity that the Manager uses to talk to fabric nodes. Recovering its password gives the attacker the trust chain that the Manager uses to talk to every router downstream.

Bonus from our harvester pipeline: CVE-2026-20224 — an XXE injection vulnerability in Cisco Catalyst SD-WAN Manager — appeared on GitHub on May 16 as a public PoC repository (fevar54/CVE-2026-20224-XXE-Injection-en-Cisco-Catalyst-SD-WAN-Manager). Our exploit-harvester emitted two detection rules from the PoC and indexed them this morning. XXE on a management plane is server-side file read and potential SSRF into internal segments — another rung in the chain.

That is five CVEs on one product in one week. Treat all of them as active.

The chain — five steps, no credentials required

Read the five together and the shape is a complete fleet-level compromise. Read it as a sequence and notice that no step requires anything more than HTTP access to the Manager.

Step one. The attacker discovers a Catalyst SD-WAN Manager instance reachable on the internet. Shodan, Censys, or simple HTTPS fingerprinting on the Manager's web UI port finds them. The fingerprint is distinctive — the vManage login page and the Manager's API surface both carry Cisco branding in HTTP response headers. Sweeping the public internet for these takes one afternoon.

Step two. The attacker sends crafted requests to the peering authentication endpoint. CVE-2026-20127. The peering authentication mechanism does not validate as designed. The server returns an authenticated session at the administrative level. The attacker is now admin on the Manager without ever submitting a credential.

Step three. The attacker uses the admin context to call the privileged file-upload API. CVE-2026-20122. Improper file handling lets the upload overwrite arbitrary paths on the Manager's filesystem. The attacker writes a payload to a path the Manager's own service account executes — startup scripts, scheduled task definitions, configuration include files. The attacker now has code execution at vmanage user privileges.

Step four. With local code execution, the attacker reads the DCA user's credential file. CVE-2026-20128. The password is stored in a recoverable format. The attacker recovers it. The DCA user is the service identity the Manager uses to authenticate to every WAN-edge router in the fabric.

Step five. With DCA credentials in hand, the attacker is now the Manager from the perspective of every router downstream. Push policy changes. Modify routing tables. Install malicious certificates into the trust chain. Provision new VPNs. Re-home tunnels through attacker-controlled infrastructure. Exfiltrate traffic. Decrypt SSL/TLS by changing the trust anchors the routers trust.

Optionally, CVE-2026-20133 (info disclosure) is used in step zero to map the fabric before any of this — see which edge sites exist, which sectors are reachable, what the deployment topology looks like. CVE-2026-20224 (XXE injection) provides an alternate file-read path if CVE-2026-20122 is patched but XXE is not.

The total wire-level footprint of a complete fleet compromise is a handful of HTTP requests. Two minutes from anonymous stranger to controlling every router in the SD-WAN deployment.

Why SD-WAN Manager specifically

SD-WAN Manager is not a network device. It is the control plane for the network. Cisco's SD-WAN architecture (originally Viptela, acquired in 2017, rebranded to Catalyst SD-WAN in 2024) separates the data plane (the WAN-edge routers carrying actual traffic) from the control plane (vManage / vSmart / vBond, now Manager / Controller / Validator). The control plane is what tells every edge router which tunnels to build, which peers to trust, which routes to advertise.

If the data plane gets compromised, you lose one router. If the control plane gets compromised, you lose every router in the fabric simultaneously, and the attacker can re-provision the fabric to route every packet of customer traffic through whatever infrastructure they choose.

The blast radius of an SD-WAN Manager compromise compared to a single WAN-edge router compromise is the same as the blast radius of an Active Directory domain controller compromise compared to a single workstation. It is not "a host." It is the trust anchor of the fleet.

Catalyst SD-WAN Manager is deployed in production at most Fortune 500 networks that adopted Cisco's SD-WAN strategy. It is in the federal civilian agency footprint. It is in MSP-operated deployments where a single Manager instance runs the SD-WAN for dozens of client tenants — the same multi-tenancy multiplier that makes mail-server compromises catastrophic.

Why this lands now

Cisco published the parent advisory bundle ERP-75736 on March 4, 2026, covering 25 advisories and 48 vulnerabilities across the ASA / FTD / FMC / SD-WAN product families. Two of the 48 were CVSS 10.0. We wrote about the ASA / FTD side of that bundle on March 17 in the post titled "Your Cisco ASA Is Getting Popped Right Now. Here's How to Block It in 5 Minutes," naming UAT4356 / ArcaneDoor / Storm-1849 as the state-sponsored actor exploiting ASA zero-days since September 2025.

CISA waited until May 13 to KEV the Catalyst SD-WAN Manager subset of that bundle. The gap between vendor disclosure (March 4) and KEV listing (May 13) is approximately 70 days. The interpretation is that active exploitation evidence accumulated during that window, and CISA's verification pipeline accepted it on May 13. Translation: there is now public evidence that someone has used these in the wild.

The soft-surface bleed pattern, again

Six of the last seven major incidents that crossed our coverage threshold this quarter started on a soft surface — not the hard perimeter. Mail server. SDK supply chain. CI/CD pipeline. Build runner. Identity provider integration. Now: SD-WAN management plane. The hard perimeter — firewalls, EDR, MFA on user accounts — generally holds in well-instrumented environments. The soft surfaces are where the breaches actually land, because soft surfaces are deeply trusted by everything around them and yet often under-monitored.

A Catalyst SD-WAN Manager has read/write authority over every WAN-edge router it provisions. It has cryptographic trust anchors that the rest of the fabric validates against. It usually has a default-allow ACL for the management network it sits on. It rarely has the EDR coverage that knowledge-worker endpoints have. It almost never has the SIEM coverage that mail servers have. This is the model "soft surface" — high trust, low monitoring, broad blast radius.

What to do today

If you operate Cisco Catalyst SD-WAN Manager — vManage in the older naming — the action list is short.

Patch. Apply the SD-WAN Manager update from Cisco that addresses CVE-2026-20127, CVE-2026-20122, CVE-2026-20133, and CVE-2026-20128 from the May 13 KEV listing. The Cisco PSIRT advisory bundle (ERP-75736 plus subsequent point updates) is the source of truth for the fixed software versions. Confirm in the release notes that all four CVEs are in the fixed build. Do not assume a single patch covers all four — verify.

Restrict the management surface. The Manager's web UI and API surfaces should not be reachable from the open internet under any deployment model that values its fabric. Put the management interfaces on a management VLAN reachable only through a VPN concentrator with MFA. The fabric data plane (DTLS / IPsec / TLS to spokes) can remain on its normal addressing — the management surface is the one that needs to come off the public internet.

Audit recent administrator activity. Pull SD-WAN Manager logs for authentication events without a corresponding ticket. Look for sessions originating from source IPs outside your normal admin pool. Look for file uploads to administrative API endpoints that you cannot tie to a known change. Look for DCA-user reads of the credential file outside of normal Manager-startup events.

Rotate. If you find indication of compromise, treat the Manager as fully owned and the fabric as untrustworthy. Rotate every credential the Manager touched: DCA password, every vEdge / cEdge join token, every certificate in the trust chain, every API key, every administrator account. Rebuild the trust anchors. Re-enroll every edge router. This is operationally expensive and there is no shortcut.

Hunt across the perimeter even if you do not run Catalyst SD-WAN. The detection patterns generalize. Anonymous POSTs to management endpoints. Privileged API calls without prior session establishment. Service-account file-reads on credential storage outside startup windows. Outbound traffic from management infrastructure to low-reputation hosts. These signals matter wherever a control plane sits on a network.

How this fits the bigger picture

Two themes worth ending on.

First, the May 13 KEV drop was a Cisco-and-Ivanti drop, not a Microsoft drop. We wrote yesterday about the Microsoft Patch Tuesday cluster on May 13 — six CVEs across MSHTML, Windows Shell, RDP, DWM, Word, RACM. That was true. What we did not surface yesterday and surface today is that the same May 13 KEV addition included the Cisco ASA pre-auth RCE chain (CVE-2025-20333 + CVE-2025-20362) and this Catalyst SD-WAN Manager cluster (CVE-2026-20127 / -20122 / -20133 / -20128) and an Ivanti Connect Secure stack overflow (CVE-2025-22457) and a reviewdog GitHub Action embedded malicious code entry (CVE-2025-30154). May 13 was the broadest single-day KEV addition this year. The Microsoft cluster was the loudest piece, not the most important piece. The most important piece for any organization with Cisco perimeter or SD-WAN gear is the Cisco subset.

Second, control planes are the asymmetry we keep paying for. Every time the industry consolidates network operations onto a control-plane management product, the security model assumes the control plane is hard. Active Directory was supposed to be hard. vCenter was supposed to be hard. SCCM was supposed to be hard. Catalyst SD-WAN Manager is supposed to be hard. Every one of them has had pre-authentication remote code execution disclosed in the past 18 months. The pattern is structural, not vendor-specific. The defensive answer is the same in every case — control-plane management surfaces do not belong on the public internet, do not share a network with end-user traffic, and need the same EDR + audit logging coverage as a domain controller.

If you read this far and you do not run Cisco SD-WAN, the takeaway is the pattern. The next major control-plane vendor to have this shape of disclosure is not a hypothetical — it is a calendar event waiting to happen.

Where we sit

The DugganUSA archive had zero prior CVE-identifier coverage of this cluster as of the May 16 sweep. That gap is now closed. Going forward, our iocs index will tag indicators attributable to Catalyst SD-WAN Manager exploitation against the relevant CVE identifiers, and the STIX feed will deliver attributable infrastructure to subscribers on the normal cadence. The exploit harvester has already picked up the public PoC for CVE-2026-20224 and indexed detection rules.

Patch the cluster. Restrict the management surface. Audit. Rotate if you find anything. The chain is five HTTP requests long, the surface is internet-facing by default in too many deployments, and the exploitation cost to an attacker is approximately one afternoon.

Sources: CISA Known Exploited Vulnerabilities Catalog entries for CVE-2026-20127, CVE-2026-20122, CVE-2026-20133, and CVE-2026-20128, all added 2026-05-13. Cisco PSIRT bundle ERP-75736 published 2026-03-04. DugganUSA prior coverage: "Your Cisco ASA Is Getting Popped Right Now. Here's How to Block It in 5 Minutes" (2026-03-17). DugganUSA exploit-harvester index entry for CVE-2026-20224 (XXE injection) emitted 2026-05-16 from fevar54/CVE-2026-20224-XXE-Injection-en-Cisco-Catalyst-SD-WAN-Manager. DugganUSA archive coverage check against the iocs and blog indexes confirmed zero prior CVE-identifier coverage of this cluster on 2026-05-16.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.