CVE-2026-20128 is a vulnerability identified in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager. The root cause is the presence of a credential file on affected systems that stores the DCA user's password in a recoverable format. An unauthenticated remote attacker can exploit this by sending a specially crafted HTTP request to the vulnerable system, which allows reading the credential file and extracting the DCA password. With these credentials, the attacker can gain DCA user privileges, enabling access to other systems managed by the SD-WAN Manager. This vulnerability affects a wide range of Cisco Catalyst SD-WAN Manager versions prior to 20.18, which has addressed the issue. The vulnerability is notable because it does not require prior authentication or user interaction, making it easier to exploit if the system is reachable over the network. The CVSS v3.1 score is 7.5 (high), reflecting the significant impact on confidentiality, integrity, and availability, as well as the complexity and privileges required for exploitation. The vulnerability enables attackers to perform lateral movement within the network, potentially leading to broader compromise of SD-WAN infrastructure and connected networks. No known exploits in the wild have been reported yet, but the extensive list of affected versions and the critical nature of the SD-WAN Manager in network operations make this a serious threat. Cisco recommends upgrading to version 20.18 or later to mitigate this issue.

The vulnerability poses a significant risk to organizations using affected versions of Cisco Catalyst SD-WAN Manager. By gaining DCA user privileges, attackers can compromise the confidentiality of sensitive network management credentials, potentially leading to unauthorized access to network infrastructure. This can result in integrity violations, such as unauthorized configuration changes, and availability impacts if attackers disrupt SD-WAN services. The ability to move laterally across systems increases the attack surface and risk of widespread network compromise. Organizations relying on SD-WAN for critical connectivity and network segmentation may face operational disruptions, data breaches, and increased exposure to further attacks. The broad range of affected versions means many deployments worldwide could be vulnerable, especially in enterprises, service providers, and government networks that use Cisco SD-WAN solutions. The lack of required authentication and user interaction lowers the barrier for exploitation, increasing the urgency for remediation.

1. Upgrade Cisco Catalyst SD-WAN Manager to version 20.18 or later, which addresses this vulnerability. 2. If immediate upgrade is not feasible, restrict network access to the SD-WAN Manager's management interfaces using firewalls or access control lists to limit exposure to trusted hosts only. 3. Monitor network traffic for unusual HTTP requests targeting the DCA feature and implement intrusion detection/prevention systems with signatures for this vulnerability. 4. Audit and rotate credentials associated with the DCA user to reduce the risk of compromised passwords being reused. 5. Employ network segmentation to isolate management systems from general user and internet-facing networks. 6. Regularly review and harden configurations of SD-WAN Manager to minimize unnecessary services and exposure. 7. Implement logging and alerting on access to credential files or unusual file read operations on the SD-WAN Manager. 8. Conduct penetration testing and vulnerability scanning focused on SD-WAN infrastructure to detect potential exploitation attempts. These steps go beyond generic advice by focusing on immediate containment, credential hygiene, and proactive detection tailored to the vulnerability's exploitation method.