{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-20128/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-20128"}],"_cs_exploited":false,"_cs_products":["Catalyst SD-WAN Manager"],"_cs_severities":["medium"],"_cs_tags":["cve-2026-20128","credential-access","sd-wan","cisco"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Catalyst SD-WAN Manager is affected by a vulnerability (CVE-2026-20128) that allows for the disclosure of stored passwords. An authenticated, local attacker with low privileges can exploit this vulnerability by accessing a credential file on the filesystem. Successful exploitation grants the attacker DCA user privileges, potentially leading to unauthorized access and control over the SD-WAN environment. CISA has issued Emergency Directive 26-03 and associated guidance to mitigate risks associated with Cisco SD-WAN devices. This vulnerability highlights the importance of proper credential management and access controls in network management systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains low-privileged access to the Cisco Catalyst SD-WAN Manager system through legitimate credentials or other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates the filesystem to locate the DCA user\u0026rsquo;s credential file.\u003c/li\u003e\n\u003cli\u003eThe attacker reads the credential file, which contains the DCA user\u0026rsquo;s password in a recoverable format.\u003c/li\u003e\n\u003cli\u003eThe attacker decodes or decrypts the password using readily available tools or techniques.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the recovered DCA user credentials to authenticate to the SD-WAN Manager with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the DCA user privileges to perform unauthorized configuration changes or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially pivots to other systems or network segments accessible through the SD-WAN infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain complete control over the Cisco Catalyst SD-WAN Manager. This could lead to significant disruption of network services, data breaches, and potential compromise of connected systems. The impact is magnified by the widespread use of SD-WAN in enterprise environments, making this a critical vulnerability for organizations utilizing Cisco Catalyst SD-WAN Manager.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview and apply the mitigations outlined in CISA\u0026rsquo;s Emergency Directive 26-03 and associated guidance for Cisco SD-WAN devices, as referenced in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor file access events on the Cisco Catalyst SD-WAN Manager system for suspicious access patterns to credential files using the \u003ccode\u003eDetect Suspicious SD-WAN Credential File Access\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and password policies on the Cisco Catalyst SD-WAN Manager to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eApply the security updates provided by Cisco to patch CVE-2026-20128 as they become available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T12:00:00Z","date_published":"2026-04-21T12:00:00Z","id":"/briefs/2026-04-cisco-sdwan-password-disclosure/","summary":"Cisco Catalyst SD-WAN Manager stores passwords in a recoverable format, allowing an authenticated local attacker to gain DCA user privileges by accessing a credential file.","title":"Cisco Catalyst SD-WAN Manager Password Disclosure Vulnerability (CVE-2026-20128)","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-sdwan-password-disclosure/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-20128","version":"https://jsonfeed.org/version/1.1"}