Join our Experts on June 24 as they explain how to Detect, Divert, and Deceive AI-Assisted Threats
Get a Demo

Vulnerabilities

CVE-2026-20128

CVE-2026-20128 Cisco SD-WAN Information Disclosure

CVSS Gauge
CVSS Needle
CVSS Score: 7.5

Summary

CVE-2026-20128 is a high severity flaw in Cisco Catalyst SD-WAN Manager where DCA credentials are stored in a recoverable file. Attackers can access it via HTTP requests or low-privilege access to escalate to DCA privileges and move laterally. Cisco confirms versions 20.18 and later are not affected, and it is listed in the CISA KEV catalog indicating active exploitation.

Urgent Actions Required

  • Upgrade Cisco Catalyst SD-WAN Manager to version 20.18 or later.
  • Review and restrict access to the Data Collection Agent (DCA) credential files at the filesystem level.
  • Monitor for unusual HTTP requests targeting DCA-related endpoints or credential file access patterns.
  • Audit authentication logs for unexpected use of DCA-level privileges across SD-WAN systems.

Which Systems Are Vulnerable to CVE-2026-20128?

Technical Overview 

  • Vulnerability Type: Information Disclosure via Recoverable Credential Storage (CWE-257) in Cisco Catalyst SD-WAN Manager Data Collection Agent (DCA) feature
  • Affected Software/Versions:
    • Cisco Catalyst SD-WAN Manager versions prior to 20.18 (multiple releases listed as affected across 17.x, 18.x, 19.x, and 20.x series)
  • CVSS Vector: v3.1
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Changed
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
  • Patch Availability: Yes, available 
    1. Cisco Catalyst SD-WAN Vulnerabilities

How Does the CVE-2026-20128 Exploit Work?

The attack typically follows these steps:

CVE-2026-20128

What Causes CVE-2026-20128?

Vulnerability Root Cause:   

This vulnerability is caused by the insecure storage of Data Collection Agent (DCA) user credentials within Cisco Catalyst SD-WAN Manager. A credential file containing the DCA password is present on the affected system in a recoverable format. Because the file can be accessed through crafted HTTP requests or by a low-privileged user with valid vManage access, the stored password can be retrieved instead of being protected through secure, non-reversible storage methods. This allows attackers to recover credentials and escalate privileges to the DCA user level. 

How Can You Mitigate CVE-2026-20128?

If immediate patching is delayed or not possible: 

  • Restrict filesystem permissions so DCA credential files cannot be read by low-privileged users.
  • Apply strict access controls to the Cisco Catalyst SD-WAN Manager filesystem to limit unauthorized access.
  • Isolate SD-WAN Manager systems using network segmentation to reduce lateral movement risk.
  • Audit and remove unnecessary vManage user access to reduce exposure of privileged credentials.
  • Rotate DCA credentials immediately if any compromise or unauthorized access is suspected.

Which Assets and Systems Are at Risk? 

Asset Types Affected:

  • Cisco Catalyst SD-WAN Manager deployments running affected versions prior to 20.18
  • Systems with the Data Collection Agent (DCA) feature enabled
  • SD-WAN environments where DCA credential files exist on the filesystem
  • vManage-managed systems where local user access is available

Business-Critical Systems at Risk:

  • Enterprise SD-WAN infrastructure management platforms controlling network configuration and policies
  • Distributed network environments using Cisco Catalyst SD-WAN Manager for centralized control
  • Systems relying on DCA user privileges for access and operations across SD-WAN nodes
  • Multi-system SD-WAN deployments where credentials can be reused for access to other affected systems

Exposure Level:

  • SD-WAN Manager systems where filesystem access is possible for low-privileged users
  • Environments allowing access via authenticated vManage accounts with limited privileges
  • Systems where DCA credential files are present and readable on the local filesystem
  • SD-WAN deployments running versions prior to 20.18 without remediation applied

Will Patching CVE-2026-20128 Cause Downtime?

Patch application impact: Low to moderate. Upgrade Cisco Catalyst SD-WAN Manager to version 20.18 or later. Cisco confirms this version is not affected, and remediation is primarily a version upgrade.

Mitigation (if immediate patching is not possible): Restrict filesystem access to DCA credential files, enforce strict permissions, limit vManage privileges, isolate SD-WAN systems, and rotate DCA credentials if exposure is suspected.

How Can You Detect CVE-2026-20128 Exploitation?

Exploitation Signatures:

Monitor for crafted HTTP requests that result in access to files containing DCA user credentials on Cisco Catalyst SD-WAN Manager systems. Look for activity indicating retrieval of credential files from the filesystem associated with the Data Collection Agent feature.

Indicators of Compromise (IOCs/IOAs):

  • HTTP requests leading to access to DCA credential files
  • Reading of filesystem files containing DCA user passwords
  • Authentication using recovered DCA credentials
  • Low-privileged vManage users accessing restricted filesystem locations
  • DCA credentials used to access other SD-WAN Manager systems

Behavioral Indicators:

  • Access to credential files storing DCA passwords in a recoverable format
  • Privilege escalation from the vManage user level to the DCA user level
  • Use of recovered credentials across multiple SD-WAN Manager systems
  • Lateral movement within SD-WAN environments using DCA accounts

Alerting Strategy:

  • Priority: High
  • Trigger alerts for:
    • Access or read operations on DCA credential files
    • HTTP requests resulting in the exposure of credential files
    • Authentication events using DCA credentials from unexpected sources
    • Privilege escalation from vManage accounts to the DCA user level

Remediation & Response

  • Remediation Timeline:
    • Immediate (0 - 24 hrs): Upgrade Cisco Catalyst SD-WAN Manager to version 20.18 or later, as it is not affected.
    • Within 24 hrs: Validate all affected versions (prior to 20.18 across 17.x - 20.x series) are identified and upgraded or scheduled for upgrade.
    • Within 24 - 48 hrs: Confirm exposure of DCA credential files on affected systems is removed through the upgrade.
  • Rollback Plan:
    • If the upgrade impacts operations, revert to the previous stable version and reapply the upgrade after validation.
    • Ensure documentation of the version state and affected SD-WAN nodes before rollback execution.
  • Incident Response Considerations:
    • Isolate SD-WAN Manager systems if unauthorized access to DCA credential files is suspected.
    • Preserve logs related to HTTP requests and filesystem access involving DCA credential files.
    • Investigate potential access to DCA credentials and their use across other SD-WAN Manager systems.
    • Post-upgrade, monitor for attempts to access DCA credential files or related filesystem locations.

Compliance & Governance Notes

  • Audit Trail Requirement:
    • Log HTTP requests that interact with Cisco Catalyst SD-WAN Manager systems where DCA functionality is enabled
    • Record filesystem access events involving DCA credential files on affected systems
    • Maintain logs of authentication events using DCA credentials across SD-WAN Manager instances
    • Document system upgrade activity including, version changes (prior versions to 20.18 -> 20.18 or later)
  • Policy Alignment:
    • Enforce secure credential storage controls to prevent recoverable password storage in system files
    • Strengthen access control policies for filesystem-level access to sensitive credential files
    • Update privileged access management policies to restrict vManage and DCA-level account exposure
    • Ensure vulnerability management policies mandate upgrading Cisco Catalyst SD-WAN Manager to 20.18 or later as a remediation requirement

See How Leading Teams Strengthen Endpoint Security with Deep Visibility

      • Real-time endpoint detection and response
      • Faster investigations with live endpoint access
      • Reduced alert fatigue through automation
Download the Data Sheet

CVSS Breakdown Table 

MetricValue Description
Base Score7.5High severity vulnerability in Cisco Catalyst SD-WAN Manager
Attack VectorLocalRequires local access or access via crafted HTTP request leading to filesystem interaction
Attack ComplexityHighExploitation depends on accessing credential file on affected system
Privileges RequiredHighRequires low-privileged vManage access or system-level access context
User Interaction NoneNo user interaction required
Scope Changed Exploitation enables privilege escalation from vManage to DCA user level
Confidentiality Impact HighExposure of DCA credentials stored in recoverable format
Integrity Impact HighPrivilege escalation enables unauthorized elevated access across systems
Availability ImpactHighPotential impact through unauthorized control and lateral movement in SD-WAN environment

References:

  1. NVD – CVE-2026-20128
  2. CVE Record: CVE-2026-20128

Vulnerability Overview 

CVE ID: CVE-2026-20128

CVE Title: Cisco Catalyst SD-WAN Manager Information Disclosure / Credential Exposure in DCA Feature

Severity: High

CVSS Score: 7.5

Exploit Status: Listed in CISA KEV catalog; active exploitation reported in multiple advisories

Business Risk: Exposed DCA credentials can allow privileged access, privilege escalation, and lateral movement in Cisco SD-WAN, increasing risk of broader compromise.

Compliance Impact: Exposed credentials and unauthorized access can weaken security controls and impact enterprise network protection and access governance.

Identifying CVEs Cover Banner

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.

Get a Demo