What happened

CISA added CVE-2026-20128 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-04-20, signaling confirmed in-the-wild exploitation and setting a rapid remediation window for impacted orgs CISA KEV. The flaw affects Cisco Catalyst SD-WAN Manager and is described as “storing passwords in a recoverable format,” enabling a local, authenticated attacker to obtain DCA user privileges by accessing a credential file from the filesystem as a low-privileged user NVD entry. The issue maps to CWE-257, indicating credentials are kept in a reversible form instead of an irrecoverable hash NVD entry.

CISA’s notice imposes an expedited due date of 2026-04-23 for federal remediations, aligning with mandatory actions outlined for Cisco SD-WAN systems CISA KEV and related emergency directives CISA ED 26-03.

Why it matters

Credential disclosure on a management plane system is a multiplier for risk: a low-privileged local user can pivot to the DCA account and act with elevated SD-WAN Manager authority NVD entry. Because CISA only lists issues in KEV when exploitation is observed, defenders should assume active adversary interest and prioritize this class of local-to-privilege-escalation flaws on network control points CISA KEV. Storage of passwords in a recoverable format (CWE-257) further implies offline extraction is feasible once the file is accessed, negating rate limits or MFA protections on interactive logins NVD entry.

Federal agencies are instructed to take immediate action under CISA’s Cisco SD-WAN-specific Emergency Directive and supplemental hunt-and-harden guidance, which are designed to reduce exposure and actively search for compromise indicators on these systems CISA ED 26-03 Hunt & Hardening Guidance.

Technical detail

Per the CVE record, the vulnerable condition exists when the SD-WAN Manager stores a DCA user credential in a recoverable format on the local filesystem NVD entry. An authenticated local attacker—i.e., any user with shell or local session access on the host—can read that credential file despite being a low-privileged user, then use the recovered password to escalate to DCA user privileges in the application context MITRE CVE. This behavior aligns with CWE-257, where plaintext or reversibly encrypted passwords are retrievable post-compromise of storage, enabling privilege misuse without brute-force or remote exploitation NVD entry.

CISA’s KEV designation confirms adversaries are exploiting this path in the wild, which turns local access on an SD-WAN management node into immediate privilege elevation via credential theft CISA KEV. The remediation due date of 2026-04-23 communicates operational urgency for patching or compensating controls to break this escalation path CISA KEV.

Defense

Prioritize Cisco SD-WAN environments under CISA’s Emergency Directive 26-03 and execute the agency’s hunt-and-hardening tasks immediately CISA ED 26-03 Hunt & Hardening Guidance.

Operational actions:

• Patch/mitigate per vendor and CISA directives; treat remediation as time-bound with a 2026-04-23 target from the KEV entry CISA KEV.
• Restrict and audit local access to SD-WAN Manager hosts. The attacker precondition is “authenticated, local” access; reducing shell/logon surface directly lowers exploitability NVD entry.
• Hunt for access to the credential file path(s) and anomalous transitions to the DCA user within the Manager. This directly targets the technique described by the CVE and CISA materials NVD entry CISA KEV.
• Rotate the DCA credential and any overlapping accounts/tokens discovered during hunts; assume recoverable storage implies potential disclosure if local access occurred NVD entry Hunt & Hardening Guidance.
• Apply hardening from CISA’s supplemental guidance, including enhanced logging and segmentation of management components to contain impact if local compromise occurs Hunt & Hardening Guidance.

Lyrie Verdict

This is a credential-harvest-and-escalate scenario: a low-privileged local user reads a recoverable DCA password from disk and elevates into the SD-WAN Manager NVD entry. That’s exactly the kind of deterministic, file-to-privilege path that autonomous malware and rogue AI agents can chain at machine speed. Lyrie instruments file access, process lineage, and identity transitions on protected control-plane hosts; we auto-correlate “low-privileged user reads credential file” to “new DCA-authenticated session” and cut to containment before human reaction time CISA KEV. We pin detections to the exploit’s prerequisites and effect—local file read of recoverable credentials (CWE-257) and subsequent privilege use—so even novel tooling abusing this CVE lands inside a pre-built, autonomous response playbook NVD entry MITRE CVE.