CISA flags another Cisco Catalyst SD-WAN Manager bug as exploited (CVE-2026-20133)

CISA added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including a Cisco Catalyst SD-WAN Manager vulnerability (CVE-2026-20133) that Cisco has yet to flag as exploited.

Three Cisco Catalyst SD-WAN Manager vulnerabilities

Alongside CVE-2026-20133, CISA has also listed CVE-2026-20128 and CVE-2026-20122 – two other Catalyst SD-WAN Manager vulnerabilities – as being leveraged in attacks.

The latter two flaws have been confirmed as actively exploited by Cisco in early March 2026.

In March, VulnCheck’s research team assessed that “CVE-2026-20133 is a higher risk than defenders may realize, and is likely to be exploited — if exploitation isn’t already ongoing under the radar.”

It’s currently unclear whether CVE-2026-20133 was exploited alongside CVE-2026-20128 and CVE-2026-20122 in those initial attacks.

The remaining five security holes

This latest batch of additions to CISA’s Known Exploited Vulnerabilities catalog include:

• CVE-2023-27351, a PaperCut NG/MF vulnerability that has been exploited since early 2023 by Lace Tempest, a Clop ransomware affiliate
• CVE-2024-27199, a JetBrains TeamCity flaw leveraged by attackers since early 2024
• CVE-2025-2749, a Kentico Xperience bug with no public reports of exploitation
• CVE-2025-32975, a vulnerability affecting Quest KACE Systems Management Appliances. In March 2026, Arctic Wolf observed “malicious activity in customer environments potentially linked to [its] exploitation.”
• CVE-2025-48700, a zero-click cross-site scripting vulnerability in Synacor’s Zimbra Collaboration Suite that, according to the State Special Communications Service of Ukraine, has been exploited since late September 2025.

CISA has ordered US federal civilian agencies to address all 8 flaws by April 20, 2026.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!