CVE-2026-20128

Received Received - Intake

Credential Exposure in Cisco SD-WAN Manager DCA Enables Privilege Escalation

Publication date: 2026-02-25

Last updated on: 2026-04-21

Assigner: Cisco Systems, Inc.

Description

A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-25

Last Modified

2026-04-21

Generated

2026-06-16

AI Q&A

2026-02-25

EPSS Evaluated

2026-06-14

NVD

CVE-2026-20128

EUVD

EUVD-2026-8676

Affected Vendors & Products

Vendor	Product	Version / Range
cisco	catalyst_sd-wan_manager	to 20.9.8.2 (exc)
cisco	catalyst_sd-wan_manager	From 20.13 (inc) to 20.15.4.2 (exc)
cisco	catalyst_sd-wan_manager	20.12.6
cisco	catalyst_sd-wan_manager	From 20.16 (inc) to 20.18 (exc)
cisco	catalyst_sd-wan_manager	From 20.10 (inc) to 20.12.5.3 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-257	The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

CWE ID

Description

CWE-257

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

Attack-Flow Graph

Executive Summary

This vulnerability exists in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager. It allows an authenticated local attacker, who already has valid vmanage credentials, to gain DCA user privileges on the affected system.

The issue arises because a credential file containing the DCA user's password is stored on the system. A low-privileged user can read this file from the filesystem, which can then be used to access another affected system with elevated DCA user privileges.

Note that Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.

Compliance Impact

I don't know

Impact Analysis

If exploited, this vulnerability could allow an attacker with some level of access to escalate their privileges to DCA user level on the affected system.

This elevated access could lead to unauthorized control over the Data Collection Agent, potentially compromising the confidentiality, integrity, and availability of the system.

Detection Guidance

This vulnerability can be detected by checking for the presence of the credential file for the Data Collection Agent (DCA) user on the affected system's filesystem. Since the vulnerability involves an attacker reading the DCA password file as a low-privileged user, inspecting the filesystem for such credential files is key.

Commands to detect this might include searching for files related to the DCA user credentials, for example using commands like:

find / -name '*dca*' -type f -exec ls -l {} \;
grep -i dca /etc/passwd
cat /path/to/dca/credential/file (if known and accessible)

Note that the exact file path is not provided in the context, so system-specific knowledge or vendor documentation may be required to identify the exact credential file location.

Mitigation Strategies

Immediate mitigation steps include ensuring that only authorized users have access to the filesystem locations where DCA credentials are stored, and restricting permissions on these credential files to prevent unauthorized reading.

Additionally, upgrading Cisco Catalyst SD-WAN Manager to release 20.18 or later will mitigate this vulnerability, as these versions are not affected.

It is also recommended to review and limit the number of users with valid vmanage credentials, as exploitation requires valid credentials.

Hi! I’m here to help you understand CVE-2026-20128. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-20128

Credential Exposure in Cisco SD-WAN Manager DCA Enables Privilege Escalation

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart