Cisco Catalyst SD-WAN Manager — DCA Credential File Exposure (CVE-2026-20128)

Severity Assessment

• Exploitability: 6.0/10
• Impact: 8.0/10
• Weaponization Risk: 7.5/10
• Patch Urgency: 9.0/10
• Detection Coverage: 4.5/10

Summary

CVE-2026-20128 is a credential storage vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager. The DCA user’s password is stored in a credential file on the affected system in a format that can be recovered by reading the file. An attacker who can send a crafted HTTP request to an affected instance can retrieve this password and use it to authenticate to other SD-WAN Manager systems in the same fabric.

The vulnerability affects all Cisco Catalyst SD-WAN Manager releases prior to 20.18. Cisco releases 20.18 and later are not affected. CISA added CVE-2026-20128 to the Known Exploited Vulnerabilities catalog on 2026-04-20 with a required remediation deadline of 2026-04-23, and issued Supplemental Direction ED 26-03 directing Federal Civilian Executive Branch agencies to follow hunt and hardening guidance for Cisco SD-WAN infrastructure.

The CVSS 3.1 base score is 7.5 (HIGH). The vector string AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H reflects exploitation from a local position with high privilege on the originating system; however, the scope change component indicates that a successful exploit can affect a broader SD-WAN fabric beyond the initially compromised device. The NVD English description references a remote, unauthenticated attack path, while the CVSS vector and Cisco PSIRT characterization indicate a local, high-privilege scenario. Both descriptions are present in the public record; this article treats the CVSS vector as the authoritative technical characterization pending further vendor clarification.

Exploit Chain

Stage 1: Access to Affected SD-WAN Manager

The attacker requires access to an affected Cisco Catalyst SD-WAN Manager instance running a version prior to 20.18. Access may be direct (network-adjacent or local) or obtained through a prior compromise of the management plane. The DCA feature must be enabled, and the credential file must be present on the system.

Stage 2: Credential File Retrieval

The attacker sends a crafted HTTP request targeting the affected system. The DCA credential file is accessible at a predictable path. Due to CWE-257 (Storing Passwords in a Recoverable Format), the DCA password can be extracted from the file in cleartext or decoded from a reversible encoding without knowledge of any additional secret material.

Stage 3: Lateral Movement to Additional SD-WAN Manager Instances

The recovered DCA password is valid across other Cisco Catalyst SD-WAN Manager systems within the same deployment. The attacker authenticates to additional instances using the DCA account, gaining management-plane visibility and control across those systems. Because DCA credentials may be shared or reused across a multi-site SD-WAN fabric, a single credential recovery can produce broad lateral access.

Detection Guidance

1. Audit Cisco Catalyst SD-WAN Manager versions across the environment. Any deployment running a release prior to 20.18 is affected; prioritize upgrade to a fixed release.
2. Review HTTP access logs on SD-WAN Manager instances for crafted requests targeting DCA-related paths or configuration endpoints outside of expected management traffic patterns.
3. Monitor for unexpected DCA user authentication events, particularly from source IP addresses not associated with known management hosts.
4. Follow CISA Emergency Directive 26-03 Supplemental Direction hunt guidance, which includes specific queries and log review steps for Cisco SD-WAN infrastructure.
5. Treat any evidence of DCA credential use from an anomalous source as a confirmed compromise indicator and assume lateral movement across the SD-WAN fabric.
6. Check SD-WAN Manager audit logs for configuration reads, device list enumeration, or policy exports that do not correspond to authorized administrator activity.

Indicators of Compromise

Behavioral and log-based indicators:

• HTTP requests to SD-WAN Manager endpoints associated with DCA configuration or credential files, originating from unexpected source addresses
• DCA user authentication events in SD-WAN Manager audit logs from hosts not in the authorized management IP range
• Authentication events across multiple SD-WAN Manager instances within a short time window using DCA credentials
• Unexpected SD-WAN policy reads, tunnel configuration exports, or device inventory queries attributed to the DCA account

Network indicators:

• Repeated or structured HTTP GET requests to SD-WAN Manager management interfaces, particularly those targeting configuration or agent-related paths
• Traffic from SD-WAN Manager instances to IP addresses not matching known SD-WAN peers or controller infrastructure

Disclosure Timeline

2026-02-25

Cisco published the security advisory for CVE-2026-20128 and the National Vulnerability Database recorded the entry. Affected version ranges and the fixed release threshold of 20.18 were documented.

2026-04-20

CISA added CVE-2026-20128 to the Known Exploited Vulnerabilities catalog, confirming active exploitation. The required remediation deadline for FCEB agencies was set to 2026-04-23. CISA also issued Supplemental Direction ED 26-03 with hunt and hardening guidance specific to Cisco SD-WAN infrastructure.

2026-04-21

NVD last modified the CVE-2026-20128 record to reflect the analyzed status and CISA KEV annotations.

Sources & References

• National Vulnerability Database: CVE-2026-20128 — National Vulnerability Database, 2026-04-21
• Cybersecurity and Infrastructure Security Agency: CVE-2026-20128 Known Exploited Vulnerabilities Entry — Cybersecurity and Infrastructure Security Agency, 2026-04-20
• Cybersecurity and Infrastructure Security Agency: Supplemental Direction ED 26-03 — Hunt and Hardening Guidance for Cisco SD-WAN Systems — Cybersecurity and Infrastructure Security Agency, 2026-04-20