CVE-2026-20128

HIGH CISA KEV

CVSS v3

7.5

HIGH

EPSS Score

0.0%

exploit probability

CISA KEV

Yes

known exploited

Exploitation

SSVC status

Description

A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker

CISA Known Exploited Vulnerability

Date Added
4/20/2026
Patch Due Date
4/23/2026
Required Action
Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Technical Details

CVSS v3 Vector
3.1
Published
2/25/2026
Last Modified
4/21/2026

Frequently Asked Questions

What is CVE-2026-20128?

A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker

Is CVE-2026-20128 actively exploited?

Yes. CVE-2026-20128 is on the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning it has been confirmed as actively exploited in the wild. CISA requires federal agencies to patch by 4/23/2026.

What is the CVSS score for CVE-2026-20128?

CVE-2026-20128 has a CVSS v3 base score of 7.5 (HIGH severity), with vector string 3.1.

Is CVE-2026-20128 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.