Threat Intelligence / CVE / CVE-2026-20128

CVE-2026-20128

CVSS 7.5 (HIGH) · EPSS 0.0% · Published 2026-02-25

A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.

CVSS v3 vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Weaknesses (CWE)

CWE-257

Threats tracking this CVE

Cisco Catalyst SD-WAN Manager Active Exploitation — Arbitrary File Overwrite and Credential Exposure (CVE-2026-20122, CVE-2026-20128) — CRITICAL

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v

Full detection coverage & IOCs for threats exploiting CVE-2026-20128 are available via the Threadlinqs MCP server (Purple tier). View plans →

Markdown version · Threadlinqs Intelligence