CVE-2026-20128
Published: 25 February 2026
Summary
CVE-2026-20128 is a high-severity Storing Passwords in a Recoverable Format (CWE-257) vulnerability in Cisco Catalyst Sd-Wan Manager. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).
Deeper analysis
A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager stems from the presence of a credential file containing the DCA user password on affected systems. The flaw, tracked as CVE-2026-20128 and assigned CWE-257, enables an attacker to retrieve the stored password and is present in releases prior to 20.18.
An unauthenticated remote attacker can exploit the issue by sending a crafted HTTP request that exposes the credential file, thereby obtaining DCA user privileges on the target system and potentially pivoting to additional affected devices. The CVSS 3.1 score of 7.5 reflects high impact on confidentiality, integrity, and availability under local access conditions with high attack complexity.
Cisco's security advisory states that versions 20.18 and later are unaffected, while the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog. The current EPSS score of 0.0008 indicates low exploitation probability at the time of reporting.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8676
Vulnerability details
A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This vulnerability is due to the presence of a credential file…
more
for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.
- CWE(s)
- KEV Date Added
- See CISA KEV catalog
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables remote HTTP exploitation of public-facing SD-WAN Manager to read exposed credential file (T1190); root cause is recoverable password stored in accessible file (T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires that passwords are not stored in recoverable form, directly eliminating the DCA credential file that enables the crafted-HTTP exploit.
Mandates cryptographic or equivalent protection of sensitive data at rest, preventing exposure of the DCA password file via the unauthenticated request.
Requires timely installation of vendor patches; upgrading to SD-WAN Manager 20.18+ removes the vulnerable credential file entirely.