CVE-2026-20128 - Vulnerability Details

- Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability

Description

A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system.

This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges.
Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.

Published: 2026-02-25

Score: 7.5 High

EPSS: < 1% Very Low

KEV: Yes

Impact:

Action:

Analysis

Impact

The vulnerability arises because the Data Collection Agent stores its password in a credential file that can be accessed from a specific HTTP endpoint. An unauthenticated attacker can send a crafted request to that endpoint and retrieve the file, exposing the DCA user password. With the credentials, the attacker can log into other affected SD‑WAN Manager instances and obtain DCA‑level privileges, potentially gaining control over connected edge devices and the network. The flaw is classified as CWE‑257, Credential Management.

Affected Systems

Cisco’s Catalyst SD‑WAN Manager, versions up to and including 20.12.6, are impacted. Cisco has verified that releases 20.18 and later are not affected, so deployments running a newer version are secure from this specific disclosure.

Risk and Exploitability

The CVSS score of 7.5 signals high severity, yet the EPSS score of less than 1 % indicates that exploitation is currently unlikely. The attacker only needs network access to the vulnerable service and no authentication to read the credential file. While the disclosure can enable privilege escalation on other instances, there are no known public exploits and the threat is deemed low. The flaw is listed in the KEV catalog, indicating that exploit has been observed and is a higher priority.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cisco

Cisco Catalyst SD-WAN Manager

unknown

Version	Status	Constraints
`20.1.12`	affected	—
`19.2.1`	affected	—
`18.4.4`	affected	—
`18.4.5`	affected	—
`20.1.1.1`	affected	—
`20.1.1`	affected	—
`19.3.0`	affected	—
`19.2.2`	affected	—
`19.2.099`	affected	—
`18.3.6`	affected	—
`18.3.7`	affected	—
`19.2.0`	affected	—
`18.3.8`	affected	—
`19.0.0`	affected	—
`19.1.0`	affected	—
`18.4.302`	affected	—
`18.4.303`	affected	—
`19.2.097`	affected	—
`19.2.098`	affected	—
`17.2.10`	affected	—
`18.3.6.1`	affected	—
`19.0.1a`	affected	—
`18.2.0`	affected	—
`18.4.3`	affected	—
`18.4.1`	affected	—
`17.2.8`	affected	—
`18.3.3.1`	affected	—
`18.4.0`	affected	—
`18.3.1`	affected	—
`17.2.6`	affected	—
`17.2.9`	affected	—
`18.3.4`	affected	—
`17.2.5`	affected	—
`18.3.1.1`	affected	—
`18.3.5`	affected	—
`18.4.0.1`	affected	—
`18.3.3`	affected	—
`17.2.7`	affected	—
`18.3.0`	affected	—
`19.2.3`	affected	—
`18.4.501_ES`	affected	—
`20.3.1`	affected	—
`20.1.2`	affected	—
`19.2.929`	affected	—
`19.2.31`	affected	—
`20.3.2`	affected	—
`19.2.32`	affected	—
`20.3.2.1`	affected	—
`20.3.2.1_927`	affected	—
`18.4.6`	affected	—
`20.3.2_928`	affected	—
`20.3.2_929`	affected	—
`20.4.1.0.1`	affected	—
`20.3.2.1_930`	affected	—
`19.2.4`	affected	—
`20.5.0.1.1`	affected	—
`20.4.1.1`	affected	—
`20.3.3`	affected	—
`19.2.4.0.1`	affected	—
`20.3.2_937`	affected	—
`20.5.1`	affected	—
`20.1.3`	affected	—
`20.3.3.0.4`	affected	—
`20.3.3.1.2`	affected	—
`20.3.3.1.1`	affected	—
`20.4.1.2`	affected	—
`20.3.3.0.2`	affected	—
`20.4.1.1.5`	affected	—
`20.4.1.0.02`	affected	—
`20.3.3.1.7`	affected	—
`20.3.3.1.5`	affected	—
`20.5.1.0.1`	affected	—
`20.3.3.1.10`	affected	—
`20.3.3.0.8`	affected	—
`20.4.2`	affected	—
`20.3.4`	affected	—
`20.3.3.0.14`	affected	—
`19.2.4.0.8`	affected	—
`19.2.4.0.9`	affected	—
`20.3.4.0.1`	affected	—
`20.3.2.0.5`	affected	—
`20.5.1.0.2`	affected	—
`20.6.1.1`	affected	—
`20.6.0.18.3`	affected	—
`20.3.2.0.6`	affected	—
`20.6.0.18.4`	affected	—
`20.4.2.0.2`	affected	—
`20.3.3.0.16`	affected	—
`20.6.1.0.1`	affected	—
`20.3.4.0.6`	affected	—
`20.7.1EFT2`	affected	—
`20.3.4.0.9`	affected	—
`20.3.4.0.11`	affected	—
`20.3.3.0.18`	affected	—
`20.6.2.1`	affected	—
`20.3.4.1`	affected	—
`20.4.2.1`	affected	—
`20.4.2.1.1`	affected	—
`20.3.4.1.1`	affected	—
`20.3.813`	affected	—
`20.3.4.0.19`	affected	—
`20.4.2.2.1`	affected	—
`20.5.1.2`	affected	—
`20.3.814`	affected	—
`20.4.2.2`	affected	—
`20.6.2.2`	affected	—
`20.3.4.2.1`	affected	—
`20.3.4.1.2`	affected	—
`20.3.4.0.20`	affected	—
`20.6.2.2.3`	affected	—
`20.4.2.2.2`	affected	—
`20.6.2.0.4`	affected	—
`20.3.4.0.24`	affected	—
`20.6.2.2.7`	affected	—
`20.3.4.2.2`	affected	—
`20.4.2.2.4`	affected	—
`20.3.5.0.8`	affected	—
`20.3.5.0.9`	affected	—
`20.3.5.0.7`	affected	—
`20.6.3.0.2`	affected	—
`20.9.1EFT2`	affected	—
`20.3.6`	affected	—
`20.3.7`	affected	—
`20.4.2.3`	affected	—
`20.3.5.1`	affected	—
`20.3.4.3`	affected	—
`20.3.3.2`	affected	—
`20.3.7.1`	affected	—
`20.3.4.0.25`	affected	—
`20.6.2.2.4`	affected	—
`20.6.1.2`	affected	—
`20.1.3.1`	affected	—
`20.6.5.1.4`	affected	—
`20.3.8`	affected	—
`20.12.501`	affected	—
`26.1.1`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:cisco:catalyst_sd-wan_manager::::::::
	cpe:2.3:a:cisco:catalyst_sd-wan_manager::::::::
	cpe:2.3:a:cisco:catalyst_sd-wan_manager::::::::
	cpe:2.3:a:cisco:catalyst_sd-wan_manager::::::::
	cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.6:::::::*

No data.

Vendor Product Confidence Versions

Cisco

Catalyst Sd-wan Manager

91%

Version	Status	Scheme	Platform
`20.1.12`	affected	semver	—
`19.2.1`	affected	semver	—
`18.4.4`	affected	semver	—
`18.4.5`	affected	semver	—
`20.1.1.1`	affected	generic	—
`20.1.1`	affected	semver	—
`19.3.0`	affected	semver	—
`19.2.2`	affected	semver	—
`19.2.099`	affected	semver	—
`18.3.6`	affected	semver	—
`18.3.7`	affected	semver	—
`19.2.0`	affected	semver	—
`18.3.8`	affected	semver	—
`19.0.0`	affected	semver	—
`19.1.0`	affected	semver	—
`18.4.302`	affected	generic	—
`18.4.303`	affected	generic	—
`19.2.097`	affected	generic	—
`19.2.098`	affected	generic	—
`17.2.10`	affected	semver	—
`18.3.6.1`	affected	generic	—
`19.0.1a`	affected	generic	—
`18.2.0`	affected	semver	—
`18.4.3`	affected	semver	—
`18.4.1`	affected	semver	—
`17.2.8`	affected	semver	—
`18.3.3.1`	affected	generic	—
`18.4.0`	affected	semver	—
`18.3.1`	affected	semver	—
`17.2.6`	affected	semver	—
`17.2.9`	affected	semver	—
`18.3.4`	affected	generic	—
`17.2.5`	affected	semver	—
`18.3.1.1`	affected	generic	—
`18.3.5`	affected	semver	—
`18.4.0.1`	affected	generic	—
`18.3.3`	affected	generic	—
`17.2.7`	affected	semver	—
`18.3.0`	affected	semver	—
`19.2.3`	affected	semver	—
`18.4.501_ES`	affected	generic	—
`20.3.1`	affected	semver	—
`20.1.2`	affected	semver	—
`19.2.929`	affected	generic	—
`19.2.31`	affected	semver	—
`20.3.2`	affected	generic	—
`19.2.32`	affected	semver	—
`20.3.2.1`	affected	generic	—
`20.3.2.1_927`	affected	generic	—
`18.4.6`	affected	semver	—
`20.3.2_928`	affected	generic	—
`20.3.2_929`	affected	generic	—
`20.4.1.0.1`	affected	generic	—
`20.3.2.1_930`	affected	generic	—
`19.2.4`	affected	semver	—
`20.5.0.1.1`	affected	generic	—
`20.4.1.1`	affected	semver	—
`20.3.3`	affected	semver	—
`19.2.4.0.1`	affected	generic	—
`20.3.2_937`	affected	generic	—
`20.5.1`	affected	generic	—
`20.1.3`	affected	semver	—
`20.3.3.0.4`	affected	generic	—
`20.3.3.1.2`	affected	generic	—
`20.3.3.1.1`	affected	generic	—
`20.4.1.2`	affected	semver	—
`20.3.3.0.2`	affected	generic	—
`20.4.1.1.5`	affected	generic	—
`20.4.1.0.02`	affected	generic	—
`20.3.3.1.7`	affected	generic	—
`20.3.3.1.5`	affected	generic	—
`20.5.1.0.1`	affected	generic	—
`20.3.3.1.10`	affected	generic	—
`20.3.3.0.8`	affected	generic	—
`20.4.2`	affected	semver	—
`20.3.4`	affected	semver	—
`20.3.3.0.14`	affected	generic	—
`19.2.4.0.8`	affected	generic	—
`19.2.4.0.9`	affected	generic	—
`20.3.4.0.1`	affected	generic	—
`20.3.2.0.5`	affected	generic	—
`20.5.1.0.2`	affected	generic	—
`20.6.1.1`	affected	generic	—
`20.6.0.18.3`	affected	generic	—
`20.3.2.0.6`	affected	generic	—
`20.6.0.18.4`	affected	generic	—
`20.4.2.0.2`	affected	generic	—
`20.3.3.0.16`	affected	generic	—
`20.6.1.0.1`	affected	generic	—
`20.3.4.0.6`	affected	generic	—
`20.7.1EFT2`	affected	generic	—
`20.3.4.0.9`	affected	generic	—
`20.3.4.0.11`	affected	generic	—
`20.3.3.0.18`	affected	generic	—
`20.6.2.1`	affected	generic	—
`20.3.4.1`	affected	semver	—
`20.4.2.1`	affected	semver	—
`20.4.2.1.1`	affected	generic	—
`20.3.4.1.1`	affected	generic	—
`20.3.813`	affected	generic	—
`20.3.4.0.19`	affected	generic	—
`20.4.2.2.1`	affected	generic	—
`20.5.1.2`	affected	generic	—
`20.3.814`	affected	generic	—
`20.4.2.2`	affected	generic	—
`20.6.2.2`	affected	generic	—
`20.3.4.2.1`	affected	generic	—
`20.3.4.1.2`	affected	generic	—
`20.3.4.0.20`	affected	generic	—
`20.6.2.2.3`	affected	generic	—
`20.4.2.2.2`	affected	generic	—
`20.6.2.0.4`	affected	generic	—
`20.3.4.0.24`	affected	generic	—
`20.6.2.2.7`	affected	generic	—
`20.3.4.2.2`	affected	generic	—
`20.4.2.2.4`	affected	generic	—
`20.3.5.0.8`	affected	generic	—
`20.3.5.0.9`	affected	generic	—
`20.3.5.0.7`	affected	generic	—
`20.6.3.0.2`	affected	generic	—
`20.9.1EFT2`	affected	generic	—
`20.3.6`	affected	semver	—
`20.3.7`	affected	semver	—
`20.4.2.3`	affected	generic	—
`20.3.5.1`	affected	semver	—
`20.3.4.3`	affected	semver	—
`20.3.3.2`	affected	semver	—
`20.3.7.1`	affected	semver	—
`20.3.4.0.25`	affected	semver	—
`20.6.2.2.4`	affected	generic	—
`20.6.1.2`	affected	generic	—
`20.1.3.1`	affected	generic	—
`20.6.5.1.4`	affected	generic	—
`20.3.8`	affected	generic	—
`20.12.501`	affected	semver	—
`26.1.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Cisco Catalyst SD‑WAN Manager to version 20.18 or later, which removes the vulnerable credential file.
Restrict external access to the SD‑WAN Manager’s HTTP interfaces by configuring firewall rules or network segmentation to block the DCA endpoint from untrusted networks.
Verify that any remaining DCA credential file, if applicable, has strict file‑system permissions and is not readable by unauthorized users or processes.

Generated by OpenCVE AI on April 20, 2026 at 20:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is in the KEV database since April 20, 2026.

The EPSS score is 0.00069.

Exploitation active

Automatable no

Technical Impact total

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20128

History

Mon, 20 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20128
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 20 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2026-04-20T00:00:00+00:00', 'dueDate': '2026-04-23T00:00:00+00:00'}`

Fri, 20 Mar 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description	A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain DCA user privileges on an affected system. To exploit this vulnerability, the attacker must have valid vmanage credentials on the affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by accessing the filesystem as a low-privileged user and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.	A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.

Wed, 04 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:cisco:catalyst_sd-wan_manager:::::::: cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.6:::::::*

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco Cisco catalyst Sd-wan Manager
Vendors & Products		Cisco Cisco catalyst Sd-wan Manager

Thu, 26 Feb 2026 06:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 25 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain DCA user privileges on an affected system. To exploit this vulnerability, the attacker must have valid vmanage credentials on the affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by accessing the filesystem as a low-privileged user and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.
Title		Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability
Weaknesses		CWE-257
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Cisco Catalyst Sd-wan Manager

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2026-02-25T16:14:12.353Z

Updated: 2026-04-21T03:55:31.648Z

Reserved: 2025-10-08T11:59:15.379Z

Link: CVE-2026-20128

Vulnrichment

Updated: 2026-02-25T18:17:54.348Z

NVD

Status : Analyzed

Published: 2026-02-25T17:25:30.150

Modified: 2026-04-21T12:48:20.987

Link: CVE-2026-20128

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T21:00:12Z

Weaknesses

CWE-257

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation active

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object