SD-WAN Manager Vulnerable to Credential Disclosure via Recoverable Password Storage
Summary
CVE-2026-20128, a vulnerability in Cisco Catalyst SD-WAN Manager's Data Collection Agent (DCA), has been added to CISA's Known Exploited Vulnerabilities catalog. The flaw, scoring 7.5 HIGH on CVSS 3.1, stems from passwords stored in recoverable format, allowing unauthenticated remote attackers to read credential files and gain DCA user privileges. Cisco SD-WAN Manager releases 20.18 and later are unaffected.
“A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system.”
Network operators running Cisco Catalyst SD-WAN Manager should cross-reference deployed versions against the 136 affected versions listed in this CVE. The SSVC classification marking exploitation as 'active' with 'total' technical impact means this is not a theoretical risk — immediate inventory and patching to 20.18 or later should be prioritized. The CVSS vector (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H) indicates high confidentiality and integrity impact even from a local attack vector, and the CWE-257 classification (storing passwords in recoverable format) suggests a systemic coding practice that may affect other Cisco products — operators should check for similar patterns across their Cisco deployments.
What changed
CISA added CVE-2026-20128 to its Known Exploited Vulnerabilities catalog, flagging a high-severity vulnerability in Cisco Catalyst SD-WAN Manager where the DCA feature stores passwords in a recoverable format. The vulnerability allows an unauthenticated remote attacker to send a crafted HTTP request, read a credential file, and gain DCA user privileges on affected systems.
Organizations running Cisco Catalyst SD-WAN Manager should identify whether any deployed version falls within the 136 affected versions listed (spanning releases from 17.2.5 through 26.1.1) and patch to release 20.18 or later, which Cisco confirms is unaffected. The active exploitation status (SSVC: Exploitation=Active, Automatable=No, Technical Impact=Total) means this vulnerability is being actively exploited in the wild, warranting priority remediation.
Archived snapshot
Apr 21, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Required CVE Record Information
CNA: Cisco Systems, Inc.
Updated:
2026-03-20
Description
A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system.
This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges.
Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.
CWE 1 Total
Learn more
- CWE-257: Storing Passwords in a Recoverable Format
CVSS 1 Total
Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 7.5 | HIGH | 3.1 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
Product Status
Learn more Versions 136 Total
Default Status: unknown
affected
affected at 20.1.12
affected at 19.2.1
affected at 18.4.4
affected at 18.4.5
affected at 20.1.1.1
affected at 20.1.1
affected at 19.3.0
affected at 19.2.2
affected at 19.2.099
affected at 18.3.6
affected at 18.3.7
affected at 19.2.0
affected at 18.3.8
affected at 19.0.0
affected at 19.1.0
affected at 18.4.302
affected at 18.4.303
affected at 19.2.097
affected at 19.2.098
affected at 17.2.10
affected at 18.3.6.1
affected at 19.0.1a
affected at 18.2.0
affected at 18.4.3
affected at 18.4.1
affected at 17.2.8
affected at 18.3.3.1
affected at 18.4.0
affected at 18.3.1
affected at 17.2.6
affected at 17.2.9
affected at 18.3.4
affected at 17.2.5
affected at 18.3.1.1
affected at 18.3.5
affected at 18.4.0.1
affected at 18.3.3
affected at 17.2.7
affected at 18.3.0
affected at 19.2.3
affected at 18.4.501_ES
affected at 20.3.1
affected at 20.1.2
affected at 19.2.929
affected at 19.2.31
affected at 20.3.2
affected at 19.2.32
affected at 20.3.2.1
affected at 20.3.2.1_927
affected at 18.4.6
affected at 20.3.2_928
affected at 20.3.2_929
affected at 20.4.1.0.1
affected at 20.3.2.1_930
affected at 19.2.4
affected at 20.5.0.1.1
affected at 20.4.1.1
affected at 20.3.3
affected at 19.2.4.0.1
affected at 20.3.2_937
affected at 20.5.1
affected at 20.1.3
affected at 20.3.3.0.4
affected at 20.3.3.1.2
affected at 20.3.3.1.1
affected at 20.4.1.2
affected at 20.3.3.0.2
affected at 20.4.1.1.5
affected at 20.4.1.0.02
affected at 20.3.3.1.7
affected at 20.3.3.1.5
affected at 20.5.1.0.1
affected at 20.3.3.1.10
affected at 20.3.3.0.8
affected at 20.4.2
affected at 20.3.4
affected at 20.3.3.0.14
affected at 19.2.4.0.8
affected at 19.2.4.0.9
affected at 20.3.4.0.1
affected at 20.3.2.0.5
affected at 20.5.1.0.2
affected at 20.6.1.1
affected at 20.6.0.18.3
affected at 20.3.2.0.6
affected at 20.6.0.18.4
affected at 20.4.2.0.2
affected at 20.3.3.0.16
affected at 20.6.1.0.1
affected at 20.3.4.0.6
affected at 20.7.1EFT2
affected at 20.3.4.0.9
affected at 20.3.4.0.11
affected at 20.3.3.0.18
affected at 20.6.2.1
affected at 20.3.4.1
affected at 20.4.2.1
affected at 20.4.2.1.1
affected at 20.3.4.1.1
affected at 20.3.813
affected at 20.3.4.0.19
affected at 20.4.2.2.1
affected at 20.5.1.2
affected at 20.3.814
affected at 20.4.2.2
affected at 20.6.2.2
affected at 20.3.4.2.1
affected at 20.3.4.1.2
affected at 20.3.4.0.20
affected at 20.6.2.2.3
affected at 20.4.2.2.2
affected at 20.6.2.0.4
affected at 20.3.4.0.24
affected at 20.6.2.2.7
affected at 20.3.4.2.2
affected at 20.4.2.2.4
affected at 20.3.5.0.8
affected at 20.3.5.0.9
affected at 20.3.5.0.7
affected at 20.6.3.0.2
affected at 20.9.1EFT2
affected at 20.3.6
affected at 20.3.7
affected at 20.4.2.3
affected at 20.3.5.1
affected at 20.3.4.3
affected at 20.3.3.2
affected at 20.3.7.1
affected at 20.3.4.0.25
affected at 20.6.2.2.4
affected at 20.6.1.2
affected at 20.1.3.1
affected at 20.6.5.1.4
affected at 20.3.8
affected at 20.12.501
affected at 26.1.1
References 1 Total
Authorized Data Publishers
CISA-ADP
SSVC and KEV, plus CVSS and CWE if not provided by the CNA.
SSVC 1 Total
Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | no | total | 2.0.3 | 2026-02-25 |
KEV 1 Total
Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20128 (2026-04-20)
Mentioned entities
Related changes
Get daily alerts for CISA Known Exploited Vulnerabilities (KEV)
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from Cisco.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.