Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-20128 |
| Alert Source | CISA KEV - Active Exploitation |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-20 |
| Vendor | Cisco |
| Product | Catalyst SD-WAN Manager |
| CVSS Score | 7.5 (high) |
| EPSS Score | 0.0% (percentile: 2%) |
| CISA KEV | Yes - confirmed active exploitation |
| Ransomware | Not confirmed |
| Remediation Deadline | 2026-04-23 |
Vulnerability Description
Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user.
Required Actions
Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
Who Is Affected?
This vulnerability affects Catalyst SD-WAN Manager by Cisco. Check if your organization uses this software and requires updates.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
Related topics
See also:
