PatchSiren cyber security CVE debrief
CVE-2026-20128 Cisco CVE debrief
CVE-2026-20128 is a Cisco Catalyst SD-WAN Manager vulnerability involving passwords stored in a recoverable format. CISA added it to the Known Exploited Vulnerabilities catalog on 2026-04-20 and set a remediation due date of 2026-04-23, so it should be treated as urgent. The supplied record does not include a CVSS score, so operational priority should be driven by the KEV listing and the potential exposure of credentials.
- Vendor
- Cisco
- Product
- Catalyst SD-WAN Manager
- CVSS
- Unknown
- CISA KEV
- Listed
- Original CVE published
- 2026-04-20
- Original CVE updated
- 2026-04-20
- Advisory published
- 2026-04-20
- Advisory updated
- 2026-04-20
Who should care
Organizations running Cisco Catalyst SD-WAN Manager and teams responsible for SD-WAN administration, identity and access management, vulnerability management, and incident response. Security teams should also care if the platform stores privileged credentials or supports cloud-managed deployments covered by CISA guidance.
Technical summary
The vulnerability is described only as Cisco Catalyst SD-WAN Manager storing passwords in a recoverable format. Based on the supplied record, the issue centers on credential protection rather than a network exploit detail; if an attacker or unauthorized user gains access to the affected storage or configuration, recovered passwords could be exposed. The provided corpus does not specify affected versions, attack vector, or exploitation method beyond its inclusion in CISA KEV.
Defensive priority
High. CISA’s KEV designation and short due date indicate immediate remediation planning. Treat as time-sensitive credential exposure risk and verify whether any Cisco Catalyst SD-WAN Manager deployments are present before the KEV due date.
Recommended defensive actions
- Identify all Cisco Catalyst SD-WAN Manager deployments and determine whether they are exposed or in scope for the CISA guidance.
- Follow CISA Emergency Directive 26-03 mitigation guidance for Cisco SD-WAN systems.
- Use CISA’s Hunt and Hardening Guidance for Cisco SD-WAN Devices to validate exposure and reduce risk.
- Review the Cisco security advisory and the NVD/CVE record for vendor-directed remediation details.
- If mitigations are not available, follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product as directed by CISA.
- Rotate or review any credentials that may have been stored in the affected system, consistent with internal incident-response and credential-hygiene procedures.
Evidence notes
All facts in this debrief come from the supplied CISA KEV record and timeline fields: the vulnerability name, product, KEV dateAdded 2026-04-20, dueDate 2026-04-23, and CISA’s requiredAction/notes. The record also points to CISA’s ED-26-03 mitigation page, hunt and hardening guidance, the Cisco advisory, and the NVD record. No CVSS score, affected versions, exploit details, or ransomware campaign attribution were provided in the corpus.
Official resources
-
CVE-2026-20128 CVE record
CVE.org
-
CVE-2026-20128 NVD detail
NVD
-
CISA Known Exploited Vulnerabilities catalog
CISA - Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guida
-
Source item URL
cisa_kev
Publicly disclosed in the supplied record on 2026-04-20 via CISA’s Known Exploited Vulnerabilities catalog. The KEV record sets 2026-04-23 as the remediation due date.