CVE-2026-20128: Cisco Catalyst SD-WAN Manager DCA Credential Disclosure and Privilege Escalation Vulnerability
Executive Summary
Section titled “Executive Summary”A critical vulnerability identified as CVE-2026-20128 affects the Data Collection Agent (DCA) feature within Cisco Catalyst SD-WAN Manager. This flaw permits unauthenticated, remote attackers to retrieve stored credentials for the DCA service, facilitating unauthorized access and privilege escalation on affected systems. Given its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog, immediate remediation is required.
Technical Analysis
Section titled “Technical Analysis”The vulnerability stems from the storage of DCA user credentials in a recoverable format within a configuration file present on the filesystem. By transmitting a specially crafted HTTP request to the Cisco Catalyst SD-WAN Manager, an unauthenticated attacker can induce the system to disclose the contents of this file.
The successful exploitation of this vulnerability enables the attacker to obtain valid DCA credentials. These credentials provide the necessary access to authenticate to other affected systems, resulting in DCA user privilege escalation. The vulnerability is present in versions prior to 20.18.
Forensic Markers
Section titled “Forensic Markers”Investigation of compromised systems should focus on the following indicators:
- HTTP requests targeting the
/dataservice/dca/endpoint, particularly those showing signs of directory traversal or abnormal parameter injection. - Unauthorized attempts to access or read DCA credential configuration files located on the filesystem.
- System authentication logs indicating unauthorized privilege elevation for the DCA user account.
Detection Rules
Section titled “Detection Rules”title: Detection of CVE-2026-20128 Exploitationstatus: experimentaldescription: Detects exploitation attempts against the Cisco Catalyst SD-WAN Manager DCA feature.logsource: category: web_access product: cisco_sdwandetection: selection: uri|contains: '/dataservice/dca/' condition: selectionWebAccessLogs| where Url contains "/dataservice/dca/"| project TimeGenerated, ClientIP, Url, StatusMitigation and Remediation
Section titled “Mitigation and Remediation”Users must upgrade Cisco Catalyst SD-WAN Manager to release 20.18 or later, where this vulnerability is mitigated. Where immediate upgrading is not feasible, restrict access to the web management interface and monitor logs for the indicators specified above.