Description
A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system.

This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges.
Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.
Published: 2026-02-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential Disclosure / Privilege Escalation
Action: Update
AI Analysis

Impact

The vulnerability arises because the Data Collection Agent stores its password in a credential file that can be accessed from a specific HTTP endpoint. An unauthenticated attacker can send a crafted request to that endpoint and retrieve the file, exposing the DCA user password. With the credentials, the attacker can log into other affected SD‑WAN Manager instances and obtain DCA‑level privileges, potentially gaining control over connected edge devices and the network. The flaw is classified as CWE‑257, Credential Management.

Affected Systems

Cisco’s Catalyst SD‑WAN Manager, versions up to and including 20.12.6, are impacted. Cisco has verified that releases 20.18 and later are not affected, so deployments running a newer version are secure from this specific disclosure.

Risk and Exploitability

The CVSS score of 7.5 signals high severity, yet the EPSS score of less than 1 % indicates that exploitation is currently unlikely. The attacker only needs network access to the vulnerable service and no authentication to read the credential file. While the disclosure can enable privilege escalation on other instances, there are no known public exploits and the threat is deemed low. The flaw is not listed in the KEV catalog, underscoring its limited exploitation risk.

Generated by OpenCVE AI on April 16, 2026 at 06:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cisco Catalyst SD‑WAN Manager to version 20.18 or later, which removes the vulnerable credential file.
  • Restrict external access to the SD‑WAN Manager’s HTTP interfaces by configuring firewall rules or network segmentation to block the DCA endpoint from untrusted networks.
  • Verify that any remaining DCA credential file, if applicable, has strict file‑system permissions and is not readable by unauthorized users or processes.

Generated by OpenCVE AI on April 16, 2026 at 06:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain DCA user privileges on an affected system. To exploit this vulnerability, the attacker must have valid&nbsp;vmanage credentials on the affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by accessing the filesystem as a low-privileged user and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability. A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.6:*:*:*:*:*:*:*

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco catalyst Sd-wan Manager
Vendors & Products Cisco
Cisco catalyst Sd-wan Manager

Thu, 26 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain DCA user privileges on an affected system. To exploit this vulnerability, the attacker must have valid&nbsp;vmanage credentials on the affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by accessing the filesystem as a low-privileged user and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.
Title Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability
Weaknesses CWE-257
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Cisco Catalyst Sd-wan Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-20T21:47:33.415Z

Reserved: 2025-10-08T11:59:15.379Z

Link: CVE-2026-20128

cve-icon Vulnrichment

Updated: 2026-02-25T18:17:54.348Z

cve-icon NVD

Status : Modified

Published: 2026-02-25T17:25:30.150

Modified: 2026-03-20T22:16:25.377

Link: CVE-2026-20128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:15:26Z

Weaknesses