ACCORDING to CISA, the Known Exploited Vulnerabilities Catalog lists Cisco Catalyst SD-WAN Manager with the CVE-2026-20128 vulnerability, described as storing passwords in a recoverable format that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file on the filesystem as a low-privileged user. Date Added is 20 April 2026 and Due Date is 23 April 2026. The entry notes that it is unknown whether the vulnerability has been used in ransomware campaigns.
It also directs readers to follow CISA’s directives for mitigation and to apply the Hunt & Hardening Guidance for Cisco SD-WAN devices, with links provided to the relevant CISA pages. Additional notes include CISA Mitigation Instructions and links to Cisco and NIST resources for CVE-2026-20128. The page emphasises adhering to the applicable guidance for cloud services or discontinuing use of the product if mitigations are not available.