Skip to main content

Cisco CVE-2026-20128

HIGH
Storing Passwords in a Recoverable Format (CWE-257)
2026-02-25 psirt@cisco.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Apr 21, 2026 - 12:57 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 20, 2026 - 20:22 vuln.today
cvss_changed
Added to CISA KEV
Apr 20, 2026 - 19:31 CISA
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 25, 2026 - 17:25 nvd
HIGH 7.5

DescriptionCVE.org

A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain DCA user privileges on an affected system. To exploit this vulnerability, the attacker must have valid vmanage credentials on the affected system.

This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by accessing the filesystem as a low-privileged user and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.

AnalysisAI

Privilege escalation in Cisco Catalyst SD-WAN Manager (versions prior to 20.18) enables authenticated local attackers with valid vmanage credentials to obtain Data Collection Agent (DCA) user privileges by reading an unprotected credential file from the filesystem. Confirmed actively exploited (CISA KEV) with publicly available exploit code despite low EPSS score (0.02%), indicating targeted attacks rather than widespread scanning. High-privileged initial access requirement (PR:H) and high attack complexity (AC:H) limit exploitability, but scope change (S:C) enables lateral movement to other SD-WAN systems.

Technical ContextAI

The vulnerability stems from CWE-257 (Storing Passwords in a Recoverable Format) - specifically, cleartext or weakly-protected credentials stored in a filesystem location accessible to low-privileged authenticated users. Cisco Catalyst SD-WAN Manager orchestrates SD-WAN fabric deployments, and the Data Collection Agent (DCA) is a privileged service account used for telemetry and operational data gathering across SD-WAN infrastructure. The affected component stores DCA credentials in a readable file, violating secure credential management practices. CPE strings indicate all Catalyst SD-WAN Manager versions below 20.18 are vulnerable, with explicit mention of version 20.12.6 in the CPE data. The CVSS vector AV:L (local access) confirms exploitation requires initial system access, while S:C (changed scope) indicates successful exploitation enables access beyond the initially compromised component - enabling lateral movement to other SD-WAN Manager instances or managed devices using the harvested DCA credentials.

RemediationAI

Upgrade Cisco Catalyst SD-WAN Manager to version 20.18 or later, which removes the vulnerable credential file according to the vulnerability note. Cisco advisory cisco-sa-sdwan-authbp-qwCX8D4v at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v contains upgrade procedures and fixed release train details. If immediate upgrade is not feasible, implement compensating controls: restrict local shell access to SD-WAN Manager systems using multi-factor authentication and bastion host architecture; enable audit logging for all filesystem access and monitor for reads of credential files in DCA directories; rotate DCA credentials immediately and implement network segmentation to prevent lateral movement if DCA credentials are compromised (note: credential rotation provides limited protection as the file will be regenerated unless patched); deploy application allowlisting to prevent unauthorized processes from reading sensitive files (may interfere with legitimate admin tools, requires testing). These mitigations only raise attacker cost and do not eliminate the vulnerability - patch deployment remains the only complete remediation. Given confirmed active exploitation (CISA KEV), prioritize patching over workarounds per federal directive BOD 22-01 timelines (2-6 weeks for KEV vulnerabilities).

Share

CVE-2026-20128 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy