CVE-2026-20128 is an information disclosure vulnerability in Cisco Catalyst SD-WAN Manager that exposes DCA user credentials in a readable file. The CVSS shows LOCAL attack vector, requiring high privileges and high complexity, making direct internet exploitation unlikely despite CISA KEV listing.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: OTHER
CVE Published: 2026-02-25
Added to CISA KEV: 2026-04-20 54 DAYS BETWEEN CVE AND KEV
CVE-2026-20128 is a high-severity vulnerability affecting Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) [1]. It has been confirmed as being actively exploited in the wild and is included in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog [2] [3].
CVE-2026-20128 is a high-severity vulnerability (CVSS 7.5) in Cisco Catalyst SD-WAN Manager that is currently listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog. It allows unauthenticated attackers to retrieve sensitive credential files via crafted HTTP requests, gaining Data Collection…
CVE-2026-20128 Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability; CVE-2026-20133 Cisco Catalyst SD-WAN ...
Cisco warns CVE-2026-20122 and CVE-2026-20128 in Catalyst SD-WAN Manager are actively exploited; patches released across multiple software versions.
Indicators of compromise for the exploitation of CVE-2026-20128 and CVE-2026-20122 are as follows. CVE-2026-20128: Cisco Catalyst SD-WAN Manager ... Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an attacker to access an affected system, elevate privi…
A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain DCA user privileges on an affected system. To exploit this vulnerability, the attacker must have valid vmanage credentials on the affected system. This vul…