CVE-2026-20128

A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 0.8 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:catalyst_sd-wan_manager::::::::
	cpe:2.3:a:cisco:catalyst_sd-wan_manager::::::::
	cpe:2.3:a:cisco:catalyst_sd-wan_manager::::::::
	cpe:2.3:a:cisco:catalyst_sd-wan_manager::::::::
	cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.6:::::::*

History

No history.

Information

Published : 2026-02-25 17:25

Updated : 2026-03-20 22:16

NVD link : CVE-2026-20128

Mitre link : CVE-2026-20128

CVE.ORG link : CVE-2026-20128

JSON object : View

Products Affected

cisco

catalyst_sd-wan_manager

CWE

CWE-257

Storing Passwords in a Recoverable Format

{"id": "CVE-2026-20128", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@cisco.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 0.8}]}, "published": "2026-02-25T17:25:30.150", "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v", "tags": ["Vendor Advisory"], "source": "psirt@cisco.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "psirt@cisco.com", "description": [{"lang": "en", "value": "CWE-257"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system.\r\n\r\nThis vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges.\r\nNote: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad en la funci\u00f3n de Agente de Recopilaci\u00f3n de Datos (DCA) de Cisco Catalyst SD-WAN Manager podr\u00eda permitir a un atacante local autenticado obtener privilegios de usuario de DCA en un sistema afectado. Para explotar esta vulnerabilidad, el atacante debe tener credenciales v\u00e1lidas de vmanage en el sistema afectado.\n\nEsta vulnerabilidad se debe a la presencia de un archivo de credenciales para el usuario de DCA en un sistema afectado. Un atacante podr\u00eda explotar esta vulnerabilidad al acceder al sistema de archivos como un usuario con privilegios bajos y leer el archivo que contiene la contrase\u00f1a de DCA de ese sistema afectado. Un exploit exitoso podr\u00eda permitir al atacante acceder a otro sistema afectado y obtener privilegios de usuario de DCA.\nNota: Las versiones 20.18 y posteriores de Cisco Catalyst SD-WAN Manager no se ven afectadas por esta vulnerabilidad."}], "lastModified": "2026-03-20T22:16:25.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0388BD67-C1AD-4E47-8B1A-22EE1634190E", "versionEndExcluding": "20.9.8.2"}, {"criteria": "cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "344CA479-F60F-4CD6-83F7-4DB38DF2EAEB", "versionEndExcluding": "20.12.5.3", "versionStartIncluding": "20.11"}, {"criteria": "cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D284EA84-6C27-4A9C-BDA2-D1C5BF1F2356", "versionEndExcluding": "20.15.4.2", "versionStartIncluding": "20.13"}, {"criteria": "cpe:2.3:a:cisco:catalyst_sd-wan_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "79B0897E-0FF3-44CA-901F-A10A6921672D", "versionEndExcluding": "20.18", "versionStartIncluding": "20.16"}, {"criteria": "cpe:2.3:a:cisco:catalyst_sd-wan_manager:20.12.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5B6E170-73B8-4838-93B4-AD258F3BCA7C"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@cisco.com"}