What is the CVSS score of CVE-2026-20128?

CVE-2026-20128 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Cisco are affected by CVE-2026-20128?

Cisco Catalyst SD-WAN Manager versions prior to 20.18 contain a privilege escalation vulnerability (CVE-2026-20128) that is confirmed actively exploited in targeted attacks.

Is there a public PoC exploit available for CVE-2026-20128?

Yes, a public proof-of-concept exploit is available for CVE-2026-20128. Prioritise patching immediately. EPSS: 0.0%.

Cisco CVE-2026-20128

HIGH

Storing Passwords in a Recoverable Format (CWE-257)

2026-02-25 psirt@cisco.com

Information Disclosure Cisco

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 21, 2026 - 12:57 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 20, 2026 - 20:22 vuln.today

cvss_changed

Added to CISA KEV

Apr 20, 2026 - 19:31 CISA

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 25, 2026 - 17:25 nvd

HIGH 7.5

DescriptionNVD

A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain DCA user privileges on an affected system. To exploit this vulnerability, the attacker must have valid vmanage credentials on the affected system.

This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by accessing the filesystem as a low-privileged user and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.

AnalysisAI

Privilege escalation in Cisco Catalyst SD-WAN Manager (versions prior to 20.18) enables authenticated local attackers with valid vmanage credentials to obtain Data Collection Agent (DCA) user privileges by reading an unprotected credential file from the filesystem. Confirmed actively exploited (CISA KEV) with publicly available exploit code despite low EPSS score (0.02%), indicating targeted attacks rather than widespread scanning. …

RemediationAI

Within 24 hours: Inventory all Cisco Catalyst SD-WAN Manager deployments and identify instances running versions prior to 20.18; restrict vmanage administrative access to trusted personnel and networks only. Within 7 days: Contact Cisco support to obtain and validate vendor patch availability timeline for version 20.18 or later; implement temporary access controls limiting vmanage credential holders. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-20128 vulnerability details – vuln.today

Back

Cisco CVE-2026-20128

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code