top of page

Active Exploitation of Cisco Catalyst SD-WAN Authentication Bypass (CVE-2026-20127) Grants Administrative Control

February 27th, 2026

Critical

Our Cyber Threat Intelligence Unit is actively monitoring CVE-2026-20127, a critical authentication-bypass vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager. Disclosed on February 25, 2026, this vulnerability allows remote, unauthenticated attackers to gain high-privilege administrative access by bypassing peering authentication. Cisco Talos reports exploitation has occurred since at least 2023, linked to the advanced threat group UAT-8616. Post-compromise activity includes adding rogue SD-WAN peers, maintaining sustained access to controller infrastructure, and potential privilege escalation techniques. Because SD-WAN controllers manage segmentation, routing, and fabric policies across distributed enterprise networks, successful exploitation poses a significant risk to network integrity, confidentiality, and operational continuity. 

Technical Details

  • CVE ID: CVE-2026-20127

  • Severity: Critical

    • CVSS v3.1 (Cisco CNA): 10.0

  • Vulnerability Type: Improper Authentication (CWE-287) – Authentication Bypass

  • Affected Products:

    • Cisco Catalyst SD-WAN Controller (vSmart)

    • Cisco Catalyst SD-WAN Manager (vManage)

  • Attack Vector: Network-based, remote, unauthenticated

  • Vulnerability Description:

    • CVE-2026-20127 results from an improper implementation of peering authentication mechanisms within Cisco Catalyst SD-WAN Controller and Manager systems.

    • A remote attacker can send crafted network requests to bypass authentication controls and log in as a high-privileged, non-root administrative user.

    • Once authenticated, the attacker can:

      • Access NETCONF interfaces

      • Modify SD-WAN fabric configuration

      • Manipulate routing and segmentation policies

      • Alter controller behavior

      • Establish persistent rogue peer relationships

    • Cisco Talos reports that some actors have used downgrade techniques to escalate privileges, often by exploiting known vulnerabilities after rolling back to earlier versions.

  • Additional Related Vulnerabilities:

    • Some of these related issues may permit file overwrite conditions, exposure of sensitive system information, configuration manipulation, or additional privilege escalation paths depending on deployment and version.

  • Exploit Status:

    • Actively exploited in the wild since at least 2023

    • Activity tracked as UAT-8616

    • Observed behaviors include rogue peer creation and sustained controller access

    • No public proof-of-concept exploit code identified at time of disclosure

  • Affected and Fixed Versions:

    • Cisco has published version-specific remediation guidance.

    • Impacted releases include multiple 20.x software trains.

    • Fixed releases include patched builds such as:

      • 20.12.5.3 and later

      • 20.12.6.1 and later

      • 20.15.4.2 and later

      • 20.18.2.1 and later

      • Additional train-specific updates as outlined in Cisco’s official advisory

    • Organizations should reference Cisco’s published upgrade matrix to determine exact exposure based on the deployed version.

Image by ThisisEngineering

Impact

Successful exploitation may result in:

  • Unauthorized Administrative Access: Attackers can gain full control over SD-WAN Controller and Manager systems.

  • Configuration Manipulation: Malicious modification of routing, segmentation, and fabric policies.

  • Root-Level Privilege Escalation: Full system compromise of controller nodes.

  • Lateral Movement: Pivot from SD-WAN infrastructure into internal enterprise networks.

  • Operational Disruption: WAN disruption, traffic interception, and multi-site connectivity failure.

Given SD-WAN’s role as a centralized management infrastructure, compromise carries elevated enterprise-wide risk.

Detection Method

Organizations should implement the following monitoring and investigative actions:

  • Review SD-WAN Controller and Manager logs for anomalous authentication events

  • Investigate unexpected administrative sessions or control-plane connections

  • Identify unauthorized peer additions or configuration changes

  • Audit NETCONF activity for abnormal usage patterns

  • Correlate configuration changes occurring outside approved maintenance windows

  • Monitor control-plane traffic flows between vManage, vSmart, and edge devices

  • Validate version integrity to detect potential downgrade attempts

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Immediately upgrade to Cisco-recommended fixed releases

  • Restrict SD-WAN control and management interfaces to trusted networks only

  • Enforce strict ACLs and network segmentation for controller access

  • Enable multi-factor authentication where supported

  • Conduct configuration integrity validation across SD-WAN fabric nodes

  • Perform targeted threat hunting for rogue peers or unauthorized policy modifications

  • Validate that devices are running vendor-supported releases to prevent downgrade-based exploitation

Conclusion

CVE-2026-20127 is a critical authentication bypass vulnerability with confirmed long-term in-the-wild exploitation against Cisco Catalyst SD-WAN Controller and Manager infrastructure. Unauthenticated attackers can gain administrative access and manipulate SD-WAN fabric control planes, creating a serious risk to enterprise network stability and trust. Organizations using Cisco SD-WAN should prioritize immediate remediation, apply compensating controls as needed, and perform retrospective threat analysis to detect possible compromise.

bottom of page