CVE-2026-20127

Name of the Vulnerable Software and Affected Versions Cisco Catalyst SD-WAN Controller and Manager versions prior to the fixed release

Description A critical vulnerability exists in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). This flaw allows an unauthenticated, remote attacker to bypass authentication and gain administrative privileges on an affected system. Successful exploitation enables the attacker to manipulate network configuration for the SD-WAN fabric via NETCONF. This vulnerability, tracked as CVE-2026-20127, has a CVSS score of 10.0 and has been actively exploited in the wild since at least 2023 by a sophisticated threat actor (UAT-8616). Attackers have been observed adding rogue peers, escalating privileges, and persisting within compromised networks. The vulnerability affects systems globally and has been designated as an imminent threat by multiple cybersecurity agencies.

Recommendations Apply the latest security updates and patches released by Cisco to address this vulnerability. Restrict access to the management interface of Cisco Catalyst SD-WAN Controller and Manager to trusted IP addresses only. Implement robust monitoring and logging to detect any suspicious activity, including unauthorized access attempts and configuration changes. Rotate credentials and keys as a precautionary measure.