Cisco Catalyst SD-WAN Manager exposes a Data Collection Agent (DCA) credential file that lets an attacker pivot to DCA user privileges on another affected system, and CISA has added it to the KEV catalog under Emergency Directive 26-03.
What Is It
A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager. A credential file containing the DCA user's password is present on affected systems in a recoverable format (CWE-257). Per the NVD description, an attacker can send a crafted HTTP request to read the file and then reuse those credentials to access another affected system and gain DCA user privileges. CISA's KEV entry frames the same flaw from the local angle: an authenticated, low-privileged local user on the filesystem can read the same credential file to achieve the same outcome.
Why It Matters
CISA added CVE-2026-20128 to the Known Exploited Vulnerabilities catalog on 2026-04-20, confirming active exploitation in the wild, and set an unusually aggressive due date of 2026-04-23; three days. The vulnerability is governed by CISA Emergency Directive 26-03, which prescribes specific mitigation steps for federal agencies running Cisco SD-WAN devices. Known ransomware campaign use is listed as Unknown. CVSS 3.1 base score is 7.5 (HIGH); scope is Changed, with high impact to confidentiality, integrity, and availability. Because DCA credentials are reusable across systems, a single compromised Manager becomes a pivot point into the rest of an SD-WAN fabric.
What's Vulnerable
Cisco Catalyst SD-WAN Manager, the following version ranges:
- Versions prior to 20.9.8.2
- 20.10 through versions prior to 20.12.5.3
- 20.13 through versions prior to 20.15.4.2
- 20.16 through versions prior to 20.18
- 20.12.6 specifically
Per Cisco's note in the NVD record, releases 20.18 and later are not affected.
Patch Status
Fixed releases are 20.9.8.2, 20.12.5.3, 20.15.4.2, and 20.18 (and later). CISA's required action: follow the guidance in Emergency Directive 26-03 and the accompanying Hunt & Hardening Guidance for Cisco SD-WAN Devices to assess exposure and mitigate. For cloud services, apply BOD 22-01 guidance; if mitigations are unavailable, discontinue use of the product.