CVE-2026-20128

What is Cisco Catalyst SD-WAN Manager?

Cisco Catalyst SD-WAN Manager (formerly known as vManage) is the centralized network management and orchestration platform for Cisco's Software-Defined WAN (SD-WAN) solution. It provides a single dashboard through which administrators configure, monitor, and manage SD-WAN routers and edge devices across the enterprise WAN.

CVE-2026-20128 is one of three Cisco SD-WAN Manager vulnerabilities added to CISA's KEV catalog on April 20, 2026 (alongside CVE-2026-20122 and CVE-2026-20133). All three are part of the same Cisco security advisory and have been exploited as part of a chained attack campaign targeting SD-WAN management infrastructure.

Overview

CVE-2026-20128 is a credential exposure vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager. The system stores DCA user credentials in a credential file on the local filesystem in a recoverable format (CWE-257). A low-privileged local user can read this file to obtain the DCA user's password, then use those credentials to escalate privileges to DCA user level — which has broader access within the SD-WAN Manager system.

In the context of the broader SD-WAN attack chain, this CVE functions as the credential harvesting step that bridges unauthenticated reconnaissance (CVE-2026-20133) and privilege escalation to vManage administrator (CVE-2026-20122).

Affected Versions

There are no workarounds — upgrade is the only remediation.

Technical Details

The Data Collection Agent (DCA) is an internal Cisco SD-WAN Manager component responsible for collecting telemetry and operational data from managed SD-WAN devices. To perform its functions, DCA authenticates to other system components using its own service account credentials.

The vulnerability is that the DCA user's credentials are stored in a plaintext or otherwise recoverable credential file on the local filesystem in a location accessible to low-privileged users. An attacker who gains filesystem read access (e.g., via a shell as a low-privileged local user, or by chaining from CVE-2026-20133) can read this file to obtain the DCA user password.

With DCA credentials, the attacker can:

• Authenticate to SD-WAN Manager components that accept DCA credentials
• Move laterally within the SD-WAN Manager environment
• Use those credentials as the API access needed for CVE-2026-20122's file overwrite attack

Attack characteristics:

• Authentication required: Yes — some level of local filesystem access
• In chained attacks: initial access via CVE-2026-20133 (unauthenticated) may provide the access path
• Attack complexity: High (standalone)
• Scope: Changed (impact extends beyond the credential file to the broader SD-WAN infrastructure)

The Three-CVE Attack Chain

Security researchers described the complete exploitation chain:

1. CVE-2026-20133 — Unauthenticated attacker uses API to enumerate sensitive OS-level files and gather reconnaissance on the SD-WAN Manager filesystem
2. CVE-2026-20128 (this CVE) — Attacker retrieves the DCA credential file, obtaining username and recoverable password for the DCA service account
3. CVE-2026-20122 — Attacker uses the DCA credentials (now API-accessible) to upload a malicious file via the API, overwriting arbitrary filesystem files and escalating to vManage administrator

The full chain: no credentials → DCA credentials → vManage admin → full SD-WAN management plane control.

Exploitation Context

Cisco confirmed active exploitation of CVE-2026-20128 and CVE-2026-20122 in March 2026, approximately three weeks after the initial February 25 disclosure. This rapid weaponization of the vulnerability pair — from patch release to confirmed in-the-wild exploitation in under a month — reflects the high interest threat actors have in SD-WAN management infrastructure.

All three CVEs in the advisory (including CVE-2026-20133) were discovered by Arthur Vidineyev of Cisco's Advanced Security Initiatives Group (ASIG) during internal security testing.

Remediation

1. Upgrade Cisco Catalyst SD-WAN Manager to the fixed version: 20.9.8.2, 20.12.5.3 (or 20.12.6.1), 20.15.4.2, or 20.18.2.1.
2. Follow CISA Emergency Directive ED 26-03 — the directive requires threat hunting in addition to patching. Review CISA's Hunt & Hardening Guidance for specific indicators of compromise and log analysis procedures.
3. Restrict management plane access — SD-WAN Manager should never be internet-exposed. Enforce firewall rules limiting access to authorized administrator IP ranges only.
4. Rotate DCA credentials after patching — treat the DCA service account credentials as compromised if running a vulnerable version.
5. Rotate all SD-WAN Manager administrative credentials — if exploitation of CVE-2026-20128 has been used to harvest DCA credentials, those credentials may have been leveraged to obtain additional access.
6. If root compromise is suspected: CISA directs agencies to rebuild vManage, vSmart, and vBond instances from clean patched images and migrate edge devices to the new infrastructure.