CVE-2026-20128

HighCISA KEVActive Exploitation

Published: 25 February 2026

Published

25 February 2026

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0004 13.6th percentile

Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20128 is a high-severity Storing Passwords in a Recoverable Format (CWE-257) vulnerability in Cisco Catalyst Sd-Wan Manager. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.6th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Directly addresses CWE-257 by requiring secure management and protection of authenticators to prevent storage of DCA passwords in recoverable formats accessible via crafted HTTP requests.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access, preventing unauthenticated remote reading of the exposed credential file containing DCA user privileges.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like this exposed credential file vulnerability, with Cisco fixes in releases 20.18 and later.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Vuln enables remote HTTP exploitation of public-facing SD-WAN Manager to read exposed credential file (T1190); root cause is recoverable password stored in accessible file (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This vulnerability is due to the presence of a credential file…

for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.

Deeper analysisAI

CVE-2026-20128 is a vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager, stemming from the presence of a credential file containing the DCA user password on affected systems. This issue affects Cisco Catalyst SD-WAN Manager releases prior to 20.18, with a CVSS v3.1 base score of 7.5 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) and associated with CWE-257 (Storing Passwords in a Recoverable Format). An unauthenticated, remote attacker could exploit it by sending a crafted HTTP request to read the exposed credential file.

The attack scenario involves an unauthenticated, remote attacker targeting an affected system via the crafted HTTP request to extract the DCA password. With this credential, the attacker could then access another affected system and elevate to DCA user privileges, potentially enabling further compromise within the SD-WAN environment.

Cisco's security advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v details the vulnerability, and the system note indicates that Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected, serving as the primary mitigation through upgrades.

This CVE appears in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20128, signaling real-world exploitation.

Details

CWE(s): CWE-257
KEV Date Added: See CISA KEV catalog

Affected Products

cisco

catalyst sd-wan manager

20.12.6 · ≤ 20.9.8.2 · 20.10 — 20.12.5.3 · 20.13 — 20.15.4.2

CVEs Like This One

CVE-2026-20133Same product: Cisco Catalyst Sd-Wan Managerboth on KEV

CVE-2026-20122Same product: Cisco Catalyst Sd-Wan Managerboth on KEV

CVE-2026-20127Same product: Cisco Catalyst Sd-Wan Managerboth on KEV

CVE-2026-20129Same product: Cisco Catalyst Sd-Wan Manager

CVE-2026-20126Same product: Cisco Catalyst Sd-Wan Manager

CVE-2025-20393Same vendor: Ciscoboth on KEV

CVE-2025-20337Same vendor: Ciscoboth on KEV

CVE-2026-20131Same vendor: Ciscoboth on KEV

CVE-2026-20045Same vendor: Ciscoboth on KEV

CVE-2025-20362Same vendor: Ciscoboth on KEV

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
Vendor Advisory · psirt@cisco.com
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20128
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0