CVE-2026-20127

Name of the Vulnerable Software and Affected Versions Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage (affected versions not specified)

Description A flaw exists in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller and Manager, allowing an unauthenticated, remote attacker to bypass authentication and gain administrative privileges on an affected system. This is due to a failure in the authentication process, enabling an attacker to log in as a high-privileged user. Successful exploitation allows manipulation of network configuration for the SD-WAN fabric via access to NETCONF. This issue has been actively exploited in the wild since 2023 by a sophisticated threat actor, who has been adding rogue peers, escalating privileges, and maintaining persistence within affected networks. The threat actor has been observed downgrading and upgrading firmware versions to exploit vulnerabilities and cover their tracks. This vulnerability is being tracked as CVE-2026-20127 and has a critical severity rating.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.