CISA Emergency Directive Targets Cisco SD-WAN, Fortinet RCE Exploited in the Wild

CISA has issued Emergency Directive 26-03 requiring federal agencies to remediate multiple critical Cisco Catalyst SD-WAN Manager vulnerabilities by today, April 23. Three separate CVEs were added to the Known Exploited Vulnerabilities catalog on April 20, all referencing the directive. Separately, Fortinet has confirmed that CVE-2026-21643, a critical SQL injection in FortiClient EMS enabling unauthenticated remote code execution, is being actively exploited in the wild. Public exploit code is available on GitHub.

Cisco Catalyst SD-WAN Manager

Three vulnerabilities in Cisco Catalyst SD-WAN Manager were added to the KEV catalog on April 20 with a remediation deadline of April 23, the shortest possible timeline under Binding Operational Directive 22-01:

CVE-2026-20128 stores passwords in recoverable format, allowing a local attacker with low privileges to gain DCA user privileges by accessing credential files on the filesystem.

CVE-2026-20133 exposes sensitive information to unauthenticated remote attackers, permitting viewing of confidential system data.

CVE-2026-20122 allows an attacker to upload a malicious file via the API interface and overwrite arbitrary files, gaining vmanage user privileges on the affected system.

All three are covered by Emergency Directive 26-03. CISA has also published specific Hunt and Hardening Guidance for Cisco SD-WAN devices alongside the directive. The three-day remediation window from KEV addition to deadline is unusual and signals that CISA assesses active or imminent exploitation. SD-WAN managers are high-value targets because they control network traffic routing across distributed enterprise environments. Compromise of the manager gives an attacker visibility and control over the entire WAN fabric.

Fortinet FortiClient EMS

CVE-2026-21643 is an SQL injection vulnerability in FortiClient EMS 7.4.4 and earlier that allows an unauthenticated attacker to execute arbitrary code via crafted HTTP requests. Fortinet's advisory confirms this has been observed exploited in the wild. A public exploit is available on GitHub under repository 0xBlackash/CVE-2026-21643.

The fix is straightforward: upgrade FortiClientEMS 7.4.x to version 7.4.5 or later. Versions 7.2 and 8.0 are not affected. What makes this urgent beyond the KEV listing is the combination of unauthenticated access, code execution, and confirmed exploitation. EMS endpoints manage endpoint security agents across the organisation. Compromise of EMS is not just server-side; it is a potential vector for deploying malicious configurations to every enrolled endpoint.

Ivanti EPMM

Also added to the KEV catalog recently: CVE-2026-1340, a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that enables unauthenticated remote code execution. Ivanti EPMM has a history of severe exploitation, and this continues the pattern. Organisations running EPMM should treat this as an immediate patching priority regardless of whether they have evidence of active exploitation.

So What / Action

If you run Cisco SD-WAN Manager, you are already past the CISA remediation deadline. Apply patches now. Run CISA's published Hunt and Hardening Guidance. Check manager logs for signs of credential access, information disclosure, or file manipulation. The vmanage and DCA accounts are your indicators of compromise.

If you run FortiClient EMS 7.4.x, upgrade to 7.4.5 immediately. With a public exploit and confirmed in-the-wild use, the window between "vulnerable" and "compromised" is measured in hours, not days. Check HTTP access logs for anomalous requests targeting the EMS web interface.

If you run Ivanti EPMM, patch now. This product's exploit history means threat actors will add new CVEs to their toolkits within days of disclosure.

All three products manage or secure endpoints at scale. Compromise of any of them gives an attacker a beachhead across your entire fleet. That is the common thread: infrastructure control systems are force multipliers for attackers, and they are being targeted as such. BRIEFING_EOF echo "File written: $?"