Horizon Alert
Summary of the vulnerability and why it matters
A vulnerability exists in Cisco Catalyst SD-WAN Manager that could allow an attacker to gain privileges as the Data Collection Agent (DCA) user. This happens because a password file for the DCA user is present on the system, and an attacker can read it with a crafted request. Gaining these privileges could then enable access to other affected systems.
- Attacker can read DCA password.
- Leads to unauthorized privileges.
- Affects Cisco Catalyst SD-WAN Manager.
Attack Path
How an attacker could exploit the issue
An attacker who gains access to the system can exploit this by accessing a credential file containing the DCA user's password. This allows them to then use these stolen credentials to gain DCA user privileges on other affected systems.
- Requires system access.
- Targets DCA credential file.
- Uses stolen credentials.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability has a high potential for exploitation, as it is present in a critical network management system and has been added to the CISA Known Exploited Vulnerabilities catalog. Attackers are likely to weaponize this type of vulnerability due to its ability to grant significant privileges on a widely deployed enterprise device.
- Added to KEV catalog.
- Exploitable via network request.
- Affects management system.
Priority actions
Operational Fix
Recommended remediation, mitigation, and detection steps
Prioritize patching Cisco Catalyst SD-WAN Manager to a non-vulnerable version immediately, as this vulnerability is actively exploited and allows for privilege escalation. If patching is delayed, implement network segmentation to isolate affected systems and strictly control access to the Data Collection Agent (DCA) user's credential file.
- Update to a fixed version.
- Isolate affected systems.
- Monitor for unauthorized access.
