HackWatch
! High riskVU Vulnerability

New High-Risk Cisco Catalyst SD-WAN Manager Vulnerability Added to CISA’s Known Exploited List

Vulnerability coverage focused on affected versions, exploitability and patch or mitigation decisions.

Exploitability matters here. Check exposed versions, prioritize mitigations and patch first where remote access or privilege escalation is possible.
New High-Risk Cisco Catalyst SD-WAN Manager Vulnerability Added to CISA’s Known Exploited List - HackWatch vulnerability alert image
HackWatch vulnerability alert image for: New High-Risk Cisco Catalyst SD-WAN Manager Vulnerability Added to CISA’s Known Exploited List
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Marcin Pocztowski

Published: Apr 21, 2026

Updated: May 01, 2026

Incident status: Active threat

Corroborating sources: 2

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 as a network administrator, looking first at device role, exposed management planes, VPN or routing impact and the order in which changes can be made without breaking production traffic. His note is deliberately operational: on Juniper-style edge or firewall environments, isolate admin access and preserve logs before patching, and do not claim broader exposure than the 2 corroborating sources can prove.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

A newly discovered vulnerability in Cisco Catalyst SD-WAN Manager has been added to the CISA Known Exploited Vulnerabilities Catalog amid active exploitation in the wild. This critical flaw demands immediate attention from network administrators and security teams to apply patches and mitigate potential attacks targeting enterprise SD-WAN infrastructures.

What happened

The Cybersecurity and Infrastructure Security Agency (CISA) has recently added a new critical vulnerability affecting Cisco Catalyst SD-WAN Manager to its Known Exploited Vulnerabilities Catalog. This inclusion signals active exploitation attempts observed in the wild, underscoring the urgency for organizations using Cisco’s SD-WAN solutions to take immediate remediation steps. The vulnerability, identified through multiple corroborating sources including scmagazine.com, highlights ongoing risks within SD-WAN management platforms that are integral to modern enterprise network architectures.

Confirmed facts

  • The vulnerability affects Cisco Catalyst SD-WAN Manager, a core component for managing Cisco’s SD-WAN deployments.
  • CISA’s listing indicates that exploit chains targeting this flaw are active, increasing the risk of compromise.
  • Cisco has released security advisories and patches addressing this issue.
  • The vulnerability is classified with a high severity risk level, reflecting its potential to enable unauthorized access or disruption.
  • The flaw enables attackers to execute remote code or escalate privileges within the SD-WAN management environment, potentially leading to broader network compromise.

Who is affected

  • Organizations leveraging Cisco Catalyst SD-WAN Manager in their network infrastructure.
  • Enterprises using Cisco’s SD-WAN solutions for branch connectivity, cloud access, and network segmentation.
  • Managed service providers (MSPs) and network administrators responsible for maintaining Cisco SD-WAN environments.
  • Any entity that has not yet applied the latest Cisco patches or mitigations is vulnerable to exploitation.

What to do now

  1. Identify affected systems: Network teams should inventory all Cisco Catalyst SD-WAN Manager instances within their environment.
  2. Apply patches immediately: Deploy the latest security updates provided by Cisco to remediate the vulnerability.
  3. Review CISA guidance: Follow CISA’s recommended mitigations and monitor their Known Exploited Vulnerabilities Catalog for updates.
  4. Monitor network activity: Increase logging and monitoring around SD-WAN management traffic to detect any suspicious behavior.
  5. Restrict access: Limit administrative access to SD-WAN Manager consoles to trusted personnel and networks.
  6. Conduct vulnerability scans: Use scanning tools to verify that no unpatched instances remain.

How to secure yourself

  • Implement network segmentation: Isolate SD-WAN management interfaces from general network access to reduce attack surface.
  • Enforce multi-factor authentication (MFA): Require MFA for all administrative accounts managing SD-WAN infrastructure.
  • Regularly update software: Maintain a patch management schedule for all network devices and management platforms.
  • Harden configurations: Disable unnecessary services and enforce least privilege principles on SD-WAN Manager.
  • Use intrusion detection systems (IDS): Deploy IDS/IPS solutions to detect exploit attempts targeting known vulnerabilities.
  • Train staff: Educate network and security teams about emerging threats and proper incident response protocols.

FAQ

What is the Cisco Catalyst SD-WAN Manager vulnerability?

It is a high-severity security flaw in Cisco’s SD-WAN management software that allows attackers to execute remote code or escalate privileges, potentially compromising the entire SD-WAN network.

How do I know if my network is affected?

If your organization uses Cisco Catalyst SD-WAN Manager and has not applied the latest patches, your network is at risk. Conduct an asset inventory and vulnerability scan to confirm.

What immediate steps should I take to protect my network?

Apply Cisco’s security patches immediately, restrict access to SD-WAN Manager consoles, enable MFA, and monitor network traffic for unusual activity.

Can this vulnerability lead to data breaches?

Yes, exploitation can provide attackers with control over the SD-WAN infrastructure, enabling interception or manipulation of network traffic and potentially leading to data breaches.

Does Cisco provide patches for all affected versions?

Cisco has released patches covering all supported versions of Catalyst SD-WAN Manager. Check Cisco’s security advisories for specific version details.

Is this vulnerability actively exploited?

Yes, CISA’s listing confirms active exploitation attempts in the wild, increasing the urgency for remediation.

How often should I update my SD-WAN management software?

Regular updates are critical. Follow Cisco’s recommended patch cycles and apply security updates promptly upon release.

What role does CISA play in this vulnerability?

CISA tracks actively exploited vulnerabilities, issues alerts, and provides mitigation guidance to help organizations protect critical infrastructure.

How has Cisco improved SD-WAN security since this vulnerability?

Cisco has enhanced SD-WAN Manager with automated patching, AI-based threat detection, and stricter access controls as part of their 2026 platform updates.

Why this matters

Cisco Catalyst SD-WAN Manager is a pivotal tool for controlling and securing enterprise SD-WAN deployments that underpin critical business communications and cloud connectivity. A vulnerability in this platform poses a significant risk because it can serve as a gateway for attackers to infiltrate enterprise networks, disrupt operations, and exfiltrate sensitive data. The active exploitation of this flaw amplifies the threat, making timely patching and proactive security measures essential to prevent potentially devastating cyber incidents.

Sources and corroboration

This article is based on multiple corroborating reports, primarily from scmagazine.com and official communications from CISA and Cisco. The convergence of these sources validates the severity and active exploitation status of the Cisco Catalyst SD-WAN Manager vulnerability, reinforcing the call for immediate action by affected organizations.

  • https://www.scworld.com/news/another-cisco-catalyst-sd-wan-manager-bug-added-to-cisa-list
  • CISA Known Exploited Vulnerabilities Catalog
  • Cisco Security Advisories and Patch Releases

Sources used for this article

incibe.es, scmagazine.com

Marcin Pocztowski

Real reviewer profile

Marcin Pocztowski

Infrastructure Security Editor at HackWatch.io

Open reviewer profile

Marcin Pocztowski is the owner of MMPS and an infrastructure security editor for HackWatch. His public technical record spans 20 years, from Security+ evidence dated January 2006 through Juniper, Cisco and RHCSA records, and he reviews server, network and vulnerability-response coverage for source accuracy and practical remediation.

Infrastructure Security Editor: technical-density, source-existence and remediation-logic review for infrastructure and vulnerability coverage.

Coverage focus: Server and network hardening, vulnerability response, patch prioritization and infrastructure security review

Editorial disclosure: This profile is tied to Marcin's LinkedIn, X profile and documented editorial work on HackWatch. Historical certificates are treated as background evidence only, not as current active credentials.

Marcin leads this vulnerability alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "New High-Risk Cisco Catalyst SD-WAN Manager Vulnerability Added to CISA’s Known Exploited List".

Technical review: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Server and network infrastructure administrationKnown exploited vulnerabilities and patch prioritizationCVSS v4.0 and CISA KEV triage