CVE-2026-20127

Name of the Vulnerable Software and Affected Versions Cisco Catalyst SD-WAN Controller (affected versions not specified) Cisco Catalyst SD-WAN Manager (affected versions not specified) Cisco Catalyst SD-WAN Validator (affected versions not specified)

Description An authentication bypass exists in the peering authentication mechanism of the affected systems. A remote, unauthenticated attacker can exploit this by sending crafted requests to bypass authentication and obtain administrative privileges. Specifically, an attacker can log in to the Cisco Catalyst SD-WAN Controller as a high-privileged, non-root internal user account. This access allows the attacker to use NETCONF (Network Configuration Protocol) to manipulate the network configuration for the SD-WAN fabric.

Technical exploitation details include:

Threat actor UAT-8616 has actively exploited this issue since at least 2023. The attack chain involves injecting rogue peers into the SD-WAN management plane and escalating privileges to root via a secondary vulnerability, while suppressing logs to maintain long-term persistence.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Restrict access to the 'reports/data/opt/data/containers/config/data-collection-agent/' endpoint from external networks using WAF or IDS rules. Audit recently authorized users from external networks via the '/jts/authenticated/j security check' endpoint. Audit suspicious archives transmitted through the '/dataservice/smartLicensing/uploadAck' endpoint. Inspect the /deployments folder for suspicious files.