CVE-2026-20128
HIGH CISA KEVCVSS v3
7.5
HIGH
EPSS Score
0.0%
exploit probability
CISA KEV
Yes
known exploited
Exploitation
—
SSVC status
Description
A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker
CISA Known Exploited Vulnerability
- Date Added
- 4/20/2026
- Patch Due Date
- 4/23/2026
- Required Action
- Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 2/25/2026
- Last Modified
- 4/21/2026
Frequently Asked Questions
What is CVE-2026-20128?
A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker
Is CVE-2026-20128 actively exploited?
Yes. CVE-2026-20128 is on the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning it has been confirmed as actively exploited in the wild. CISA requires federal agencies to patch by 4/23/2026.
What is the CVSS score for CVE-2026-20128?
CVE-2026-20128 has a CVSS v3 base score of 7.5 (HIGH severity), with vector string 3.1.
Is CVE-2026-20128 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.