Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability
Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user.
Quick answer
Cisco Catalyst SD-WAN Manager should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- 20.12.6
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
Treat CVE-2026-20128 as an actively exploited Cisco Catalyst SD-WAN Manager credential exposure risk. NVD and CISA identify affected Cisco Catalyst SD-WAN Manager releases and CISA instructs organizations to follow ED 26-03 and the Cisco SD-WAN hunt and hardening guidance. Upgrade to the Cisco fixed release for the installed branch, noting that NVD lists multiple affected branches and says 20.18 and later are not affected for this issue. Because the vulnerability can expose DCA credentials and enable DCA privileges, rotate relevant credentials and inspect for follow-on access.
- Inventory every Cisco Catalyst SD-WAN Manager or vManage deployment, including management IPs, public URLs, API endpoints, and DCA-enabled systems.
- Check installed versions against Cisco advisory cisco-sa-sdwan-authbp-qwCX8D4v and the NVD affected branch ranges for CVE-2026-20128.
- Upgrade affected deployments to the Cisco fixed release for the installed branch; where practical, move to 20.18 or later for this specific issue.
- Apply CISA ED 26-03 mitigation, hunt, and hardening guidance for Cisco SD-WAN systems.
- Restrict SD-WAN Manager API, administrative UI, and management ports to trusted administrator networks or VPN.
- Review file access, API logs, DCA activity, vManage logs, authentication logs, and network telemetry for credential file access or suspicious DCA use.
- Rotate DCA, vManage, administrative, API, and integration credentials if exposure is suspected.
- Rebuild or isolate SD-WAN Manager systems where unauthorized access or persistence is found.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Cisco Catalyst SD-WAN Manager is on the Cisco fixed release for its branch or on a later unaffected branch listed by Cisco/NVD.
- Confirm SD-WAN Manager management and API endpoints are reachable only from approved networks.
- Confirm CISA ED 26-03 hardening and hunt steps have been completed and documented.
- Review post-remediation logs for continued credential file access attempts or unexpected DCA activity.
- Run a Fixnx scan against public SD-WAN Manager hostnames to confirm exposure is reduced.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-20128?
Cisco Catalyst SD-WAN Manager should be checked against the vendor advisory and trusted references linked on this page.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
