Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format (CVE-2026-20128)
CVE-2026-20128 affects Cisco Catalyst SD-WAN Manager and involves storing passwords in a recoverable format (CWE-257). An attacker with local or network access to the SD-WAN Manager may be able to extract plaintext or weakly-obfuscated credentials from configuration files, databases, or memory. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation could lead to credential theft enabling lateral movement, further network compromise, or full SD-WAN infrastructure takeover.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Cisco
- Product
- Catalyst SD-WAN Manager
Weakness (CWE)
Timeline
- Disclosed
- April 20, 2026
References & Proof of Concept
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
- https://nvd.nist.gov/vuln/detail/CVE-2026-20128
CVSS
What is CVE-2026-20128 Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format (CVE-2026-20128)?
Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format (CVE-2026-20128) (CVE-2026-20128) maps to the Credential Access and Persistence and Lateral Movement tactics — the adversary is trying to steal account names and passwords in MITRE ATT&CK.
This page provides production-ready detection logic for Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format (CVE-2026-20128), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, Azure Monitor. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union DeviceNetworkEvents, DeviceProcessEvents, DeviceFileEvents
| where TimeGenerated > ago(7d)
| where DeviceName has_any ("sdwan", "vmanage", "sd-wan-manager") or RemoteUrl has_any ("vmanage", "sdwan-manager")
| where (ActionType in ("FileRead", "FileAccessed") and FolderPath has_any ("/etc/viptela", "/opt/nms", "vmanage", "sdwan", ".viptela"))
or (ProcessCommandLine has_any ("sqlite3", "strings", "grep", "cat") and ProcessCommandLine has_any ("password", "passwd", "credential", "secret", "vmanage"))
or (ActionType == "NetworkConnectionSuccess" and RemotePort in (8443, 8444, 443) and InitiatingProcessCommandLine has_any ("curl", "wget", "python", "ruby", "perl") and InitiatingProcessCommandLine has "vmanage")
| extend Severity = "High", CVE = "CVE-2026-20128"
| project TimeGenerated, DeviceName, ActionType, FolderPath, FileName, ProcessCommandLine, InitiatingProcessCommandLine, RemoteUrl, RemotePort, AccountName, CVE, Severity
| order by TimeGenerated descDetects suspicious file access, process activity, and network connections indicative of credential extraction from Cisco Catalyst SD-WAN Manager systems. Looks for reads of vManage configuration directories, credential-scraping commands, and unusual outbound connections from SD-WAN management hosts.
Data Sources
Required Tables
False Positives
- Legitimate administrative backup scripts accessing vManage configuration directories
- Authorized penetration testing or security assessments of SD-WAN infrastructure
- Cisco TAC support sessions involving configuration file review
- Automated monitoring agents performing scheduled health checks on vManage
Sigma rule & cross-platform mapping
The detection logic for Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format (CVE-2026-20128) (CVE-2026-20128) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-20128
References (4)
- https://www.cisa.gov/news-events/directives/ed-26-03-mitigate-vulnerabilities-cisco-sd-wan-systems
- https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
- https://nvd.nist.gov/vuln/detail/CVE-2026-20128
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1vManage SQLite Credential Database Direct Query
Expected signal: Process creation event for sqlite3 with command line containing /opt/nms/db or credential-related terms; file access event on vManage database path
- Test 2Grep for Passwords in vManage Configuration Directory
Expected signal: Process launch event for grep with arguments targeting /etc/viptela or similar paths and containing password-related search terms
- Test 3Unauthorized vManage REST API Credential Extraction via Python
Expected signal: Process launch event for python3 with command line containing the vManage management port (8443) and credential/user-related API path; NetworkConnectionIP4 event to localhost:8443
- Test 4strings Utility Against vManage Process Memory or Binary
Expected signal: Process creation for 'strings' with /proc/<pid>/exe or a vManage binary path as argument; subsequent grep process with credential search terms
Unlock Pro Content
Get the full detection package for CVE-2026-20128 including response playbook, investigation guide, and atomic red team tests.