CVE-2026-20127

Name of the Vulnerable Software and Affected Versions Cisco Catalyst SD-WAN Controller (affected versions not specified) Cisco Catalyst SD-WAN Manager (affected versions not specified)

Description A flaw in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller and Manager allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges. The issue is exploited by sending crafted requests to the system, enabling the attacker to log in as a high-privileged, non-root user. Once authenticated, the attacker can access NETCONF (TCP/830) to manipulate network configurations for the SD-WAN fabric.

Technical exploitation involves a multi-step process:

Real-world exploitation has been observed since 2023 by threat actor UAT-8616, who targeted critical infrastructure by injecting rogue peers into the management plane and escalating privileges to root. This activity was widespread enough to prompt a coordinated emergency directive from Five Eyes agencies.

Recommendations Apply the patches released by Cisco for Catalyst SD-WAN Controller and Manager. Restrict external network access to the 'reports/data/opt/data/containers/config/data-collection-agent/' directory using WAF or IDS rules. Audit the '/jts/authenticated/j security check' endpoint for suspicious external authorizations. Audit the '/dataservice/smartLicensing/uploadAck' endpoint for suspicious archive uploads. Inspect the /deployments folder for unauthorized files.