CVE-2026-20128

Published Feb 25, 2026

Last updated 2 days ago

CVSS high 7.5
OT
Firmware

Overview

Description
A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain DCA user privileges on an affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.
Source
psirt@cisco.com
NVD status
Analyzed
Products
catalyst_sd-wan_manager

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.5
Impact score
6
Exploitability score
0.8
Vector string
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Severity
HIGH

Weaknesses

psirt@cisco.com
CWE-257

Social media

Hype score
Not currently trending

  1. PoC is now public for CVE-2026-20127 in Cisco Catalyst SD-WAN. UAT-8616 has been exploiting it since 2023, now anyone can try. Two more SD-WAN flaws also active: CVE-2026-20122 and CVE-2026-20128. Patch window is effectively closed. https://t.co/gZOpZQntR2

    @CybrPulse

    7 Mar 2026

    80 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨Cisco Catalyst SD-WANの脆弱性、さらに2件の悪用が明らかに:CVE-2026-20128、CVE-2026-20122 ⚠️米CISA、Apple製品の古い脆弱性3件をKEVカタログに追加(CVE-2023-43000、CVE-2021-30952、CVE-2023-41974) 〜サイバーアラート3月6日

    @MachinaRecord

    6 Mar 2026

    189 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 3 Cisco SD-WAN CVEs actively exploited in 8 days. Here's the scorecard: CVE-2026-20127 — CVSS 10.0 — Auth bypass zero-day — Exploited since 2023 CVE-2026-20128 — CVSS 5.5 — DCA credential leak — Exploited (confirmed March 5) CVE-2026-20122 — CVSS 7.1 — File overw

    @FirstPassLab

    5 Mar 2026

    101 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface.CVE-2025-14858
  2. Fortinet FortiClient EMS Improper Access Control VulnerabilityCVE-2026-35616
  3. A flaw has been found in Tenda AC5 15.03.06.47. This vulnerability affects the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. This manipulation of the argument PPPOEPassword causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been published and may be used.CVE-2026-4903
  4. A Missing Authentication for Critical Function vulnerability in Pharos Controls Mosaic Show Controller firmware version 2.15.3 could allow an unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.CVE-2026-2417
  5. A hardcoded cryptographic key within the configuration mechanism on TP-Link Archer NX200, NX210, NX500 and NX600 enables decryption and re-encryption of device configuration data. An authenticated attacker may decrypt configuration files, modify them, and re-encrypt them, affecting the confidentiality and integrity of device configuration data.CVE-2025-15605

References

Sources include official advisories and independent security research.