Cyber Resilience

CVE-2026-20128

HighCISA KEVActive ExploitationEUVD Exploited

Published: 25 February 2026

Published
25 February 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0527 91.5th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-20128 is a high-severity Storing Passwords in a Recoverable Format (CWE-257) vulnerability in Cisco Catalyst Sd-Wan Manager. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).

Deeper analysis

A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager stems from the presence of a credential file containing the DCA user password on affected systems. The flaw, tracked as CVE-2026-20128 and assigned CWE-257, enables an attacker to retrieve the stored password and is present in releases prior to 20.18.

An unauthenticated remote attacker can exploit the issue by sending a crafted HTTP request that exposes the credential file, thereby obtaining DCA user privileges on the target system and potentially pivoting to additional affected devices. The CVSS 3.1 score of 7.5 reflects high impact on confidentiality, integrity, and availability under local access conditions with high attack complexity.

Cisco's security advisory states that versions 20.18 and later are unaffected, while the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog. The current EPSS score of 0.0008 indicates low exploitation probability at the time of reporting.

EU & UK References

Vulnerability details

A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This vulnerability is due to the presence of a credential file…

more

for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.

CWE(s)
KEV Date Added
See CISA KEV catalog

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Vuln enables remote HTTP exploitation of public-facing SD-WAN Manager to read exposed credential file (T1190); root cause is recoverable password stored in accessible file (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20133Same product: Cisco Catalyst Sd-Wan Managerboth on KEV
CVE-2026-20122Same product: Cisco Catalyst Sd-Wan Managerboth on KEV
CVE-2026-20129Same product: Cisco Catalyst Sd-Wan Manager
CVE-2026-20127Same product: Cisco Catalyst Sd-Wan Managerboth on KEV
CVE-2026-20182Same product: Cisco Catalyst Sd-Wan Managerboth on KEV
CVE-2026-20126Same product: Cisco Catalyst Sd-Wan Manager
CVE-2026-20131Same vendor: Ciscoboth on KEV
CVE-2025-20393Same vendor: Ciscoboth on KEV
CVE-2025-20337Same vendor: Ciscoboth on KEV
CVE-2025-20352Same vendor: Ciscoboth on KEV

Affected Assets

cisco
catalyst sd-wan manager
20.12.6 · ≤ 20.9.8.2 · 20.10 — 20.12.5.3 · 20.13 — 20.15.4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires that passwords are not stored in recoverable form, directly eliminating the DCA credential file that enables the crafted-HTTP exploit.

prevent

Mandates cryptographic or equivalent protection of sensitive data at rest, preventing exposure of the DCA password file via the unauthenticated request.

prevent

Requires timely installation of vendor patches; upgrading to SD-WAN Manager 20.18+ removes the vulnerable credential file entirely.

References