Network flaws hit keystone gear

The gear that decides who gets onto a corporate network is at the center of a fresh patching push after Cisco disclosed critical flaws in Identity Services Engine on April 15. (cisco.com) Identity Services Engine is the policy server that checks devices and users before they connect, which makes it a choke point for offices, campuses, and data centers. Cisco said CVE-2026-20180 and CVE-2026-20186 carry CVSS scores of 9.9 and can let an attacker with Read Only Admin credentials send crafted HTTP requests, reach the underlying operating system, and then escalate to root. (cisco.com) Cisco also disclosed CVE-2026-20147 and CVE-2026-20148 on April 15 for Identity Services Engine and Identity Services Engine Passive Identity Connector, with a 9.9 severity rating and no workaround. Cisco said those bugs require valid administrative credentials and can lead to remote code execution or path traversal, a way to reach files outside the intended folder. (cisco.com) Cisco said a successful attack on a single-node Identity Services Engine deployment can knock that node offline and stop new endpoints from authenticating until it is restored. The company said affected customers need fixed releases or patches, including 3.1 Patch 11, 3.2 Patch 10, 3.3 Patch 11, 3.4 Patch 6, and 3.5 Patch 3 for CVE-2026-20147. (cisco.com, thehackernews.com) A day before this week’s market open, the Cybersecurity and Infrastructure Security Agency added eight actively exploited bugs to its Known Exploited Vulnerabilities catalog on April 20. Three of them were Cisco Catalyst SD-WAN Manager flaws: CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133. (cisa.gov) That catalog is the federal government’s do-now list for bugs already used in real attacks. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must fix newly listed flaws by CISA’s due date, and the current catalog shows April 30, 2026 for entries added on April 16. (cisa.gov, cisa.gov) Cisco’s SD-WAN Manager advisories describe what those KEV entries can expose: CVE-2026-20122 can let an authenticated remote attacker overwrite arbitrary files, CVE-2026-20128 involves passwords stored in a recoverable format, and CVE-2026-20133 can expose sensitive information to an unauthorized actor. Cisco said software updates are available and there are no workarounds. (cisco.com, cisa.gov) Cisco said it was not aware of active exploitation of the April 15 Identity Services Engine bugs when it published the fixes. CISA’s April 20 action covered different Cisco products, but it sharpened the timing pressure on organizations that use Cisco network control planes in regulated environments, including banks, brokers, and payment firms that route patching through change-control and disclosure calendars. (thehackernews.com, cisa.gov) For security teams, the immediate job is narrow and concrete: find Identity Services Engine and SD-WAN Manager versions, map them to Cisco’s fixed releases, and decide whether a maintenance window can move before the next federal due date. (cisco.com, cisa.gov)