CVE-2026-20127

Name of the Vulnerable Software and Affected Versions: Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage.

Description: A vulnerability exists in the peering authentication mechanism, allowing an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. Successful exploitation could allow the attacker to manipulate network configuration for the SD-WAN fabric. This vulnerability has been actively exploited since 2023 by threat actors, including UAT-8616, who have been observed adding rogue peers and escalating privileges. The vulnerability is rated as critical with a CVSS score of 10.0.

Recommendations: Apply the latest security updates released by Cisco to address this vulnerability. Hunt for signs of compromise, including suspicious control-connection peering events, rogue accounts, SSH keys, log wiping, and downgrade/reboot artifacts. Restrict access to management interfaces and consider implementing network segmentation to limit the impact of potential exploitation.