Fixing and finding
Jump to remediation plan
CVE ID

CVE-2026-20128

Published 2026-02-25
Updated 18 days ago
Vendor/s
Cisco
Product/s
Catalyst SD-WAN Manager
Version/s
* > 20.9.8.2
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
7.5
/ 10
High
Severity Details
Base score
7.5 High
Attack vector
Local
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Description

Cisco Catalyst SD-WAN Manager vulnerability (CVE-2026-20128) allows unauthenticated privilege escalation. High severity and actively exploited.

CPE

Cisco logo
Cisco
Product Version Start Version End (excl.) Status
catalyst_sd-wan_manager * 20.9.8.2 vulnerable
catalyst_sd-wan_manager 20.10 20.12.5.3 vulnerable
catalyst_sd-wan_manager 20.13 20.15.4.2 vulnerable
catalyst_sd-wan_manager 20.16 20.18 vulnerable
catalyst_sd-wan_manager 20.12.6 20.12.6 vulnerable

Related weakness (CWE)

CWE-257

Remediation plan

1

Apply official patches

Install the latest security updates provided by Cisco for the Catalyst SD-WAN Manager. Cisco has released software updates that address this vulnerability by removing the hardcoded or accessible credential file used by the Data Collection Agent.

2

Update affected systems

Ensure your Cisco Catalyst SD-WAN Manager is running version 20.18 or later. If using older branches, upgrade to at least 20.9.8.2, 20.12.5.3, or 20.15.4.2 to mitigate the risk of credential exposure.

3

Restrict access

Implement strict access control lists (ACLs) to limit HTTP/HTTPS access to the SD-WAN Manager interface. Ensure the management plane is not exposed to the public internet and is only accessible from trusted administrative subnets.

4

Monitor for exploitation

Review web server logs for unusual GET requests targeting configuration or credential files. Monitor for unexpected logins or activity associated with the DCA user account, which may indicate an attacker has successfully pivoted within the environment.

Detection Guidance

Monitor web server access logs for HTTP requests directed at sensitive file paths or Data Collection Agent (DCA) components. Look for unauthorized access attempts to local system files. Additionally, audit system logs for the creation of new DCA sessions from unexpected source IP addresses. Organizations should follow CISA's 'Hunt & Hardening' guidance, specifically looking for indicators of credential theft and lateral movement within the SD-WAN fabric.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v Vendor Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20128 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial