CVE-2026-20128
Credential Exposure in Cisco SD-WAN Manager DCA Enables Privilege Escalation
Publication date: 2026-02-25
Last updated on: 2026-04-21
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | catalyst_sd-wan_manager | to 20.9.8.2 (exc) |
| cisco | catalyst_sd-wan_manager | From 20.13 (inc) to 20.15.4.2 (exc) |
| cisco | catalyst_sd-wan_manager | 20.12.6 |
| cisco | catalyst_sd-wan_manager | From 20.16 (inc) to 20.18 (exc) |
| cisco | catalyst_sd-wan_manager | From 20.10 (inc) to 20.12.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-257 | The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
This vulnerability exists in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager. It allows an authenticated local attacker, who already has valid vmanage credentials, to gain DCA user privileges on the affected system.
The issue arises because a credential file containing the DCA user's password is stored on the system. A low-privileged user can read this file from the filesystem, which can then be used to access another affected system with elevated DCA user privileges.
Note that Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker with some level of access to escalate their privileges to DCA user level on the affected system.
This elevated access could lead to unauthorized control over the Data Collection Agent, potentially compromising the confidentiality, integrity, and availability of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the credential file for the Data Collection Agent (DCA) user on the affected system's filesystem. Since the vulnerability involves an attacker reading the DCA password file as a low-privileged user, inspecting the filesystem for such credential files is key.
Commands to detect this might include searching for files related to the DCA user credentials, for example using commands like:
- find / -name '*dca*' -type f -exec ls -l {} \;
- grep -i dca /etc/passwd
- cat /path/to/dca/credential/file (if known and accessible)
Note that the exact file path is not provided in the context, so system-specific knowledge or vendor documentation may be required to identify the exact credential file location.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include ensuring that only authorized users have access to the filesystem locations where DCA credentials are stored, and restricting permissions on these credential files to prevent unauthorized reading.
Additionally, upgrading Cisco Catalyst SD-WAN Manager to release 20.18 or later will mitigate this vulnerability, as these versions are not affected.
It is also recommended to review and limit the number of users with valid vmanage credentials, as exploitation requires valid credentials.