CISA has added CVE‑2026‑20128 to its Known Exploited Vulnerabilities catalogue. The entry concerns Cisco’s Catalyst SD‑WAN Manager and is titled *Cisco Catalyst SD‑WAN Manager Storing Passwords in a Recoverable Format Vulnerability*. An authenticated, local attacker with low privileges can read a credential file and obtain DCA user privileges. The short description notes that the flaw enables privilege escalation through filesystem access to a credential file.
The flaw lies in the way the product stores passwords in a recoverable format on the filesystem. An attacker who can log in locally can access the credential file and escalate to DCA user rights. The vulnerability has a CVSS v3 score of 7.5, rated HIGH, and a security patch is available from Cisco. Cisco has published advisory cisco-sa-sdwan-authbp-qwCX8D4v detailing the fix.
Because the vulnerability is listed in the KEV catalogue, active exploitation has been confirmed in the wild. No ransomware campaign has been linked to this issue at present. CISA has set a remediation deadline of 23 April 2026 for federal civilian executive branch agencies.
CISA directs affected agencies to follow the mitigation steps outlined in Emergency Directive 26‑03 and the accompanying Hunt & Hardening Guidance for Cisco SD‑WAN Systems, and to adhere to the applicable BOD 22‑01 guidance for cloud services or discontinue use if mitigations cannot be applied. While the directive binds FCEB organisations, all organisations should review their Cisco SD‑WAN deployments for exposure and apply the available patch or follow the vendor’s guidance.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-20128 and the CISA KEV catalogue.