Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-20128 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-20128 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-20128 is a credential exposure vulnerability in Cisco Catalyst SD-WAN Manager, where passwords are stored in a recoverable format on the local filesystem, enabling privilege escalation by authenticated local users.

Technical Detail

The flaw stems from Cisco Catalyst SD-WAN Manager storing DCA user credentials in a recoverable format within a file accessible to low-privileged local users. An authenticated attacker with minimal local access can read this credential file and extract the DCA user password in a usable form. Successful exploitation results in privilege escalation to DCA user access, which may allow the attacker to perform administrative or sensitive operations within the SD-WAN management plane beyond their original authorization level.

Exploitation Status

CISA has confirmed active exploitation in the wild, adding this vulnerability to the Known Exploited Vulnerabilities catalog on April 20, 2026. The exploit maturity is rated Operational, meaning reliable exploitation techniques exist and are being used in practice, not merely demonstrated in a controlled research context. Despite a CVSS score of 0.0 currently assigned, the confirmed in-the-wild exploitation status makes this a priority remediation item regardless of the score anomaly.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. No named groups, campaigns, or targeted sectors have been associated with exploitation of this vulnerability in available intelligence. Given the nature of the affected product, SD-WAN infrastructure operators across enterprise and service provider environments should treat this as a credible threat to their deployments.

What To Do

Per CISA's Known Exploited Vulnerabilities catalog, federal agencies are required to apply vendor-supplied patches or implement mitigations by the deadline associated with the April 20, 2026 listing. All organizations running Cisco Catalyst SD-WAN Manager should apply the relevant Cisco security advisory patches immediately. Until patching is complete, restrict local filesystem access to the SD-WAN Manager host to only authorized administrative accounts, audit local user accounts for unauthorized access, and review logs for unexpected DCA user activity. Consult the Cisco security advisory for the specific affected software versions and confirmed fixed releases.