Today's picture
CISA added three Cisco Catalyst SD-WAN Manager flaws to the Known Exploited Vulnerabilities catalog yesterday and gave federal agencies until Thursday to remediate. That two-day window reflects how seriously the agency is treating active exploitation. SD-WAN Manager controls enterprise network routing, and these three vulnerabilities chain together into a path from unauthenticated remote reconnaissance all the way to full administrative control. On the positive side, Microsoft shipped emergency patches Sunday for the domain controller restart loop that has been disrupting Active Directory environments since the April Patch Tuesday update.
Threat snapshot
1 new · 1 resolved · 1 developing · 2 monitoring
New
KEV Listed
48hr Deadline
Three Cisco SD-WAN flaws in KEV with a Thursday federal deadline. They chain for full network control.
CVE-2026-20133 pulls sensitive data with no auth. CVE-2026-20122 overwrites files for vManage access. CVE-2026-20128 extracts credentials for full admin. Run them in sequence and you own the network fabric.
Resolved
Microsoft ships emergency fix for the domain controller restart loop.
Out-of-band updates KB5091157 and KB5091575 released April 19 fix the LSASS crash. Affected DCs can be recovered and stabilized.
Developing
2 Unpatched
Defender RedSun and UnDefend. Still no patches from Microsoft.
Active exploitation continues. Two-step chain blinds Defender then escalates to SYSTEM. No patch and no timeline.
Detailed intelligence
Full analysis
01 New KEV Listed Federal Deadline Apr 23
Three Cisco SD-WAN flaws land in KEV with a two-day federal deadline. They chain for full network control.
CVE-2026-20122/28/33
What happened
CISA added three vulnerabilities affecting Cisco Catalyst SD-WAN Manager to the Known Exploited Vulnerabilities catalog on April 20, setting a federal remediation deadline of April 23. The two-day window signals confirmed active exploitation that CISA considers urgent. Cisco SD-WAN Manager is the centralized administrative console controlling routing, configuration, and policy enforcement across enterprise wide-area networks. Owning it means owning the network fabric itself, not just a single host.
The three flaws work as a chain. CVE-2026-20133 is an unauthenticated information disclosure flaw. An attacker with no credentials sends a crafted HTTP request to the API and reads sensitive configuration data, system files, and credentials stored on the appliance. CVE-2026-20122 abuses privileged API endpoints through improper file handling, letting an attacker with read-only API access overwrite arbitrary files and escalate to vManage-level privileges. CVE-2026-20128 targets how the platform stores Data Collection Agent credentials in recoverable format. A low-privileged local user reads a credential file and gains full DCA admin access.
Run them in sequence: gather intelligence remotely with no credentials, use that access to escalate API privileges, overwrite system files, then extract stored credentials for full administrative control. Cisco confirmed active exploitation of CVE-2026-20122 and CVE-2026-20128 in March 2026. Patches were available before the KEV listing.
CyberSip Take
SD-WAN Manager is a recurring target in this brief and that pattern is not coincidence. It sits above every router, every traffic policy, and every network segment it manages. Compromising it gives an attacker configuration-level access to the network itself, not just a foothold on a single server. That payoff is worth significant attacker investment, which is why this class of infrastructure keeps appearing in exploitation campaigns. We covered a separate Cisco SD-WAN zero-day in Issue 1 and the targeting behavior has not changed. If your organization runs Catalyst SD-WAN Manager and has not put it in the highest-priority patch tier, this week makes the case for doing so. The Thursday federal deadline applies to FCEB agencies under a binding directive, but the exploitation is active and attackers are not checking whether your organization is federal before scanning.
Recommended actions
- Review CISA Emergency Directive 26-03 and the associated Hunt and Hardening Guidance for Cisco SD-WAN systems. Both contain the definitive remediation steps for these three CVEs.
- Patch to fixed versions. Cisco versions 20.9.8.2, 20.12.5.3, 20.15.4.2, and 20.18.2.1 or later address all three vulnerabilities.
- Restrict API access to the SD-WAN Manager interface using ACLs or firewall rules. CVE-2026-20133 requires no authentication, so reducing who can reach the API endpoint matters even before patching.
- Audit API access logs for GET requests containing path traversal patterns, which is the indicator for CVE-2026-20133 exploitation attempts.
- Review which accounts hold read-only API credentials. CVE-2026-20122 needs only that level of access to escalate privileges further.
Derived from the federal known-exploited vulnerability catalog, CISA Emergency Directive 26-03, and vendor security advisories
02 Resolved
Microsoft ships emergency fix for the April domain controller restart loop. Apply it now if you have not already.
KB5091157 / KB5091575
What happened
Microsoft released out-of-band emergency updates on April 19 that address the domain controller restart loop first covered in Issue 7. The root cause was a conflict between the April Patch Tuesday update KB5082063 and LSASS processing in multi-domain forests using Privileged Access Management. Affected domain controllers experienced repeated LSASS crashes at startup, locking out authentication and directory services and in some environments making the entire domain unavailable.
The fix is KB5091157 for Windows Server 2025 and KB5091575 for Windows Server 2022. Both are available through Windows Update, Microsoft Update Catalog, and WSUS. The update preserves all security fixes from the original April cumulative update while resolving the LSASS regression. Systems still stuck in a restart loop need manual recovery through the Windows Recovery Environment before the patch can be applied.
CyberSip Take
This closes the item that has been in the brief since Issue 7. One thing worth flagging for teams that held back the April Patch Tuesday update entirely because of the stability concerns: applying this out-of-band fix does not skip the security content from April 14. The OOB update preserves those fixes while removing the LSASS regression. You are not trading security for stability. Apply the OOB fix and you get both. This is also worth filing away as a data point on DC patching discipline. This is the third consecutive April that Microsoft's monthly server update has disrupted domain controllers. A 24-hour observation window on non-production domain controllers before production rollout would have caught this before anyone experienced an outage.
Recommended actions
- Apply KB5091157 on Windows Server 2025 domain controllers and KB5091575 on Windows Server 2022 domain controllers through standard update channels.
- For domain controllers stuck in a restart loop, boot into Windows Recovery Environment, uninstall KB5082063, then apply the OOB update before returning to normal operation.
- After applying the fix, confirm LSASS is stable and authentication services are functioning before marking the remediation complete.
- If you deferred all April Patch Tuesday updates to avoid this issue, review the BitLocker recovery key guidance from Issue 5 before rebooting any Windows Server 2025 systems.
Derived from Microsoft official support documentation and out-of-band update release notes
03 Developing 2 Unpatched
Defender RedSun and UnDefend. Still no patches from Microsoft. Still being exploited.
RedSun / UnDefend
Status update
No change from Issue 8. RedSun and UnDefend have been publicly available as working exploit code since April 16 and Microsoft has not shipped patches or a remediation timeline. Both remain in active exploitation. RedSun abuses Defender's cloud file rollback mechanism to achieve SYSTEM-level code execution via NTFS junction manipulation, with near-complete reliability on Windows 10, 11, and Server 2019 and later. UnDefend silently blocks Defender from receiving signature updates while the endpoint continues reporting healthy in management consoles. Attackers run them in sequence: UnDefend first to freeze threat intelligence without triggering alerts, then RedSun to escalate. Huntress has confirmed both techniques in live incidents. This item moves to Monitoring in the next issue if no patch materializes.
CyberSip Take
Six days since public release and the code still works, still has no patch, and the detection gap has not closed. The key signal remains the same as in prior issues: the only reliable early indicator is checking whether Defender signature update timestamps have actually advanced on connected endpoints, not just whether the service is running. A healthy-looking endpoint on a connected network that stopped receiving updates is worth investigating. Organizations that rely on Defender as their sole endpoint protection layer are carrying more risk than their dashboards currently reflect. A supplementary detection layer that does not depend on Defender signatures is the most practical mitigation available right now.
Recommended actions
- Check actual Defender signature update timestamps across endpoints. A gap of more than a few hours on a connected network is a UnDefend indicator worth investigating.
- Monitor user directories including Pictures and Downloads for unexplained executables. Attackers have staged exploit files in these locations in confirmed incidents.
- Consider supplementary endpoint detection that does not depend on Defender signatures for the duration of this unpatched gap.
- Watch Microsoft Security Response Center for out-of-band patch announcements for RedSun and UnDefend.
Derived from Huntress threat research and vendor security advisories
Still watching
Aging items · days 2–7
Items here remain operationally relevant but have produced no significant new developments. They drop off after 7 days.
Vercel breach via Context.ai OAuth (Issue 8). Investigation ongoing with Mandiant. If you have not audited Google Workspace OAuth grants and checked for the compromised Client ID, do it today.
Day 2
Apache ActiveMQ CVE-2026-34197 (Issue 6). Federal deadline April 30. Active exploitation continues. Patch to version 5.19.4 or 6.2.3.
Day 5
Cross-source standouts
What connects this week
01
SD-WAN keeps showing up because it is the network's control plane
This is the second Cisco SD-WAN item in the brief this month. The pattern is not coincidence. SD-WAN Manager sits above every router, every traffic policy, and every routing decision across the enterprise WAN. An attacker who gets into it does not just gain a server, they gain the ability to reconfigure how the entire network behaves. That payoff makes it a high-value target worth systematic investment, which is exactly what the exploitation pattern reflects. If your organization runs Catalyst SD-WAN Manager and it is not in your highest-priority patch tier alongside firewalls and identity infrastructure, this week is the argument for moving it there.
02
April's patch cycle produced more operational failures than any recent month
The April Patch Tuesday update generated a BitLocker recovery loop on Windows Server 2025, a domain controller restart loop across Server 2016 through 2025, and required two separate emergency out-of-band fixes to clean up after itself. The Register noted this is the third consecutive April that Microsoft's server updates disrupted domain controllers. The lesson is not to defer patching. The lesson is that domain controllers need a staged deployment approach with at least 24 hours of observation on non-production systems before production rollout, every cycle, not just when things go wrong.
Past issues · 7-day archive