CVE-2026-20128: Storing Passwords in a Recoverable Format in Cisco Cisco Catalyst SD-WAN Manager
CVE-2026-20128 is a high-severity vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager. It allows an unauthenticated, remote attacker to gain DCA user privileges by exploiting a credential file containing the DCA password accessible via a crafted HTTP request. This vulnerability affects multiple versions prior to 20. 18, which is not vulnerable. Successful exploitation could enable an attacker to access other affected systems with elevated privileges.
AI Analysis
Technical Summary
This vulnerability arises from the presence of a credential file for the DCA user on affected Cisco Catalyst SD-WAN Manager systems. An attacker can send a specially crafted HTTP request to read this file and obtain the DCA password. With these credentials, the attacker can gain DCA user privileges and potentially move laterally to other affected systems. Versions 20.18 and later are not affected by this issue.
Potential Impact
An attacker exploiting this vulnerability can gain DCA user privileges on an affected system without authentication, leading to high confidentiality, integrity, and availability impacts. This could allow unauthorized access and control over the affected system and potentially other connected systems.
Mitigation Recommendations
Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability. Upgrading to version 20.18 or later is the recommended remediation. Since no official patch links or advisories are provided in the input, patch status is not explicitly confirmed; therefore, check Cisco's official advisory for the latest remediation guidance.
CVE-2026-20128: Storing Passwords in a Recoverable Format in Cisco Cisco Catalyst SD-WAN Manager
Description
CVE-2026-20128 is a high-severity vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager. It allows an unauthenticated, remote attacker to gain DCA user privileges by exploiting a credential file containing the DCA password accessible via a crafted HTTP request. This vulnerability affects multiple versions prior to 20. 18, which is not vulnerable. Successful exploitation could enable an attacker to access other affected systems with elevated privileges.
CVSS v3.1
Score 7.5high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from the presence of a credential file for the DCA user on affected Cisco Catalyst SD-WAN Manager systems. An attacker can send a specially crafted HTTP request to read this file and obtain the DCA password. With these credentials, the attacker can gain DCA user privileges and potentially move laterally to other affected systems. Versions 20.18 and later are not affected by this issue.
Potential Impact
An attacker exploiting this vulnerability can gain DCA user privileges on an affected system without authentication, leading to high confidentiality, integrity, and availability impacts. This could allow unauthorized access and control over the affected system and potentially other connected systems.
Mitigation Recommendations
Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability. Upgrading to version 20.18 or later is the recommended remediation. Since no official patch links or advisories are provided in the input, patch status is not explicitly confirmed; therefore, check Cisco's official advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- cisco
- Date Reserved
- 2025-10-08T11:59:15.379Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b6fb7ef31ef0b5556a4
Added to database: 2/25/2026, 9:36:47 PM
Last enriched: 4/28/2026, 6:09:25 AM
Last updated: 5/27/2026, 9:52:54 PM
Views: 228
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.