{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/catalyst-sd-wan-manager/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-20128"}],"_cs_exploited":false,"_cs_products":["Catalyst SD-WAN Manager"],"_cs_severities":["medium"],"_cs_tags":["cve-2026-20128","credential-access","sd-wan","cisco"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Catalyst SD-WAN Manager is affected by a vulnerability (CVE-2026-20128) that allows for the disclosure of stored passwords. An authenticated, local attacker with low privileges can exploit this vulnerability by accessing a credential file on the filesystem. Successful exploitation grants the attacker DCA user privileges, potentially leading to unauthorized access and control over the SD-WAN environment. CISA has issued Emergency Directive 26-03 and associated guidance to mitigate risks associated with Cisco SD-WAN devices. This vulnerability highlights the importance of proper credential management and access controls in network management systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains low-privileged access to the Cisco Catalyst SD-WAN Manager system through legitimate credentials or other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates the filesystem to locate the DCA user\u0026rsquo;s credential file.\u003c/li\u003e\n\u003cli\u003eThe attacker reads the credential file, which contains the DCA user\u0026rsquo;s password in a recoverable format.\u003c/li\u003e\n\u003cli\u003eThe attacker decodes or decrypts the password using readily available tools or techniques.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the recovered DCA user credentials to authenticate to the SD-WAN Manager with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the DCA user privileges to perform unauthorized configuration changes or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially pivots to other systems or network segments accessible through the SD-WAN infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain complete control over the Cisco Catalyst SD-WAN Manager. This could lead to significant disruption of network services, data breaches, and potential compromise of connected systems. The impact is magnified by the widespread use of SD-WAN in enterprise environments, making this a critical vulnerability for organizations utilizing Cisco Catalyst SD-WAN Manager.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview and apply the mitigations outlined in CISA\u0026rsquo;s Emergency Directive 26-03 and associated guidance for Cisco SD-WAN devices, as referenced in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor file access events on the Cisco Catalyst SD-WAN Manager system for suspicious access patterns to credential files using the \u003ccode\u003eDetect Suspicious SD-WAN Credential File Access\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and password policies on the Cisco Catalyst SD-WAN Manager to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eApply the security updates provided by Cisco to patch CVE-2026-20128 as they become available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T12:00:00Z","date_published":"2026-04-21T12:00:00Z","id":"/briefs/2026-04-cisco-sdwan-password-disclosure/","summary":"Cisco Catalyst SD-WAN Manager stores passwords in a recoverable format, allowing an authenticated local attacker to gain DCA user privileges by accessing a credential file.","title":"Cisco Catalyst SD-WAN Manager Password Disclosure Vulnerability (CVE-2026-20128)","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-password-disclosure/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-20133"}],"_cs_exploited":false,"_cs_products":["Catalyst SD-WAN Manager"],"_cs_severities":["high"],"_cs_tags":["cve","vulnerability","cisco","sd-wan"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Catalyst SD-WAN Manager is susceptible to an information disclosure vulnerability, identified as CVE-2026-20133. The vulnerability allows unauthorized remote attackers to potentially gain access to sensitive information residing on affected systems. While the exact nature of the disclosed information isn\u0026rsquo;t specified in the advisory, it could encompass configuration details, user credentials, or other sensitive data critical for the secure operation of the SD-WAN environment. CISA has issued Emergency Directive 26-03 and associated guidance, highlighting the severity and urging immediate action. The directive impacts organizations utilizing Cisco SD-WAN devices and emphasizes the need for thorough risk assessment and implementation of provided mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Discovery:\u003c/strong\u003e An attacker identifies a publicly accessible endpoint or API within the Cisco Catalyst SD-WAN Manager that is vulnerable to CVE-2026-20133.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Request:\u003c/strong\u003e The attacker crafts a malicious HTTP request targeting the vulnerable endpoint, exploiting the lack of proper authorization checks or input validation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Exposure:\u003c/strong\u003e The SD-WAN Manager processes the request and, due to the vulnerability, inadvertently discloses sensitive information. This could be in the form of a file, database content, or API response.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Extraction:\u003c/strong\u003e The attacker captures the exposed data from the response, potentially including configuration files, usernames, passwords, or other sensitive credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e The attacker uses the extracted credentials to gain unauthorized access to other systems within the SD-WAN environment or the broader network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Leveraging compromised credentials, the attacker moves laterally across the network, targeting critical systems and data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration / System Compromise:\u003c/strong\u003e The attacker exfiltrates sensitive data or achieves complete system compromise, depending on the attacker\u0026rsquo;s objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20133 can lead to significant consequences, including the compromise of sensitive data, unauthorized access to critical systems, and potential disruption of network operations. Given the central role of SD-WAN managers in controlling network traffic and security policies, a successful attack can have a wide-ranging impact. The number of potentially affected organizations is substantial due to the widespread adoption of Cisco SD-WAN solutions. The impact can include data breaches, financial loss, reputational damage, and regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately assess your exposure to CVE-2026-20133 by following CISA’s Emergency Directive 26-03 mitigation instructions.\u003c/li\u003e\n\u003cli\u003eApply the necessary patches or workarounds provided by Cisco to remediate the vulnerability as outlined in Cisco\u0026rsquo;s security advisory.\u003c/li\u003e\n\u003cli\u003eIf patches are unavailable or cannot be immediately applied, implement the hardening guidance provided in CISA’s “Hunt \u0026amp; Hardening Guidance for Cisco SD-WAN Devices”.\u003c/li\u003e\n\u003cli\u003eFor cloud-based deployments, adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect suspicious HTTP requests targeting potential vulnerable endpoints of the Cisco Catalyst SD-WAN Manager.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-19T12:00:00Z","date_published":"2024-01-19T12:00:00Z","id":"/briefs/2024-01-cisco-sdwan-info-disclosure/","summary":"Cisco Catalyst SD-WAN Manager contains an information disclosure vulnerability (CVE-2026-20133) that could allow remote attackers to view sensitive information on affected systems, requiring immediate patching or mitigation.","title":"Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability (CVE-2026-20133)","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-sdwan-info-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — Catalyst SD-WAN Manager","version":"https://jsonfeed.org/version/1.1"}