Cisco Catalyst SD-WAN Manager credential leak exploited in the wild (CVE-2026-20128)

Actively exploited in the wild - CVE-2026-20128 is a high credential theft in Cisco Catalyst SD-WAN Manager before 20.18 that lets an unauthenticated attacker read a sensitive credential file, obtain the DCA user’s password, and log into the system with DCA privileges. Upgrade to version 20.18 or later immediately.

Overview

A high-severity vulnerability in Cisco Catalyst SD-WAN Manager allows an unauthenticated, remote attacker to read a sensitive credential file from the system. Tracked as CVE-2026-20128, this flaw is confirmed by CISA to be actively exploited by attackers in the wild.

Vulnerability Details

The vulnerability exists in the Data Collection Agent (DCA) feature. A credential file containing the DCA user’s password is present on the system in a location that can be accessed via a crafted HTTP request without requiring authentication. An attacker can send this request to read the file, obtain the password, and then use those credentials to log into the affected system-or other systems-with DCA user privileges.

The CVSS v3.1 base score is 7.5 (High). The attack vector is local, meaning the attacker must have some level of access to the network to send the HTTP request, but no prior authentication is required.

Affected Products

This vulnerability affects Cisco Catalyst SD-WAN Manager software releases prior to version 20.18. Releases 20.18 and later are not affected.

Impact

A successful exploit grants an attacker the privileges of the DCA user account on the SD-WAN Manager. This could allow them to access sensitive system data, potentially manipulate network configurations, or use this access as a foothold for further attacks within the software-defined wide area network (SD-WAN) environment.

Remediation and Mitigation

The primary and definitive remediation is to upgrade to an unaffected release. Cisco states that releases 20.18 and later are not vulnerable.

Immediate Action Required:

1. Upgrade: Update Cisco Catalyst SD-WAN Manager to version 20.18 or a later release.
2. Investigate: As this vulnerability is known to be exploited, organizations running vulnerable versions should review their systems for any signs of unauthorized access or anomalous activity originating from the SD-WAN Manager.

If immediate upgrade is not possible, restrict network access to the Catalyst SD-WAN Manager management interface to only trusted, necessary IP addresses as a temporary mitigation. However, upgrading remains the only complete solution.

Security Insight

This vulnerability, involving a hardcoded or exposed credential file, echoes a common pattern in network infrastructure attacks, such as those seen in recent Cisco FMC exploits. It highlights the critical need for secure software development lifecycle (SDLC) practices that systematically eliminate default or static credentials, a weakness consistently targeted by ransomware groups and state-sponsored actors, as noted in broader CISA warnings.

Further Reading

• Interlock Ransomware Exploits Cisco FMC Zero-Day
• CISA Warns of Zimbra, SharePoint Exploits; Cisco
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs