Exploitation of Zero-Day Vulnerability in Cisco Catalyst SD-WAN
CVE-2026-20127 could allow an unauthenticated attacker to bypass authentication and gain administrative privileges
Summary
CVE-2026-20127 could allow an unauthenticated attacker to bypass authentication and gain administrative privileges
Affected platforms
The following platforms are known to be affected:
Threat details
Additional Detail on Affected Products
CVE-2026-20127 affects the following Catalyst SD-WAN deployment types:
- On-Premises Deployment
- Cisco Hosted SD-WAN Cloud
- Cisco Hosted SD-WAN Cloud - Cisco Managed
- Cisco Hosted SD-WAN Cloud - FedRAMP Environment
The Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes apply:
- Cisco SD-WAN Controllers are now Cisco Catalyst SD-WAN Control Components
- Cisco SD-WAN vAnalytics is now Cisco Catalyst SD-WAN Analytics
- Cisco SD-WAN vBond is now Cisco Catalyst SD-WAN Validator
- Cisco SD-WAN vManage is now Cisco Catalyst SD-WAN Manager
- Cisco SD-WAN vSmart is now Cisco Catalyst SD-WAN Controller
Introduction
Cisco has released a security advisory to address a critical vulnerability in Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Catalyst SD-WAN Manager (formerly SD-WAN vManage). Cisco Catalyst SD-WAN is a software-defined wide area network solution that enables secure, scalable, and flexible connectivity across enterprise networks.
Exploitation of Multiple Vulnerabilities
Cisco, the National Cyber Security Centre (NCSC-UK), and other Five Eyes intelligence partners, have reported zero-day exploitation of CVE-2025-20127 by multiple threat actors, with observed exploitation activity as early as 2023.
Cisco has now confirmed that CVE-2026-20122 and CVE-2026-20128 are being actively exploited in the wild.
Edge devices like Cisco Catalyst SD-WAN are often internet-facing by design and are highly attractive targets to attackers, and there are an increasing number of edge device vulnerabilities disclosed each year that are rapidly exploited by attackers. The NHS England National CSOC assesses it is highly likely vulnerabilities discovered in edge devices will continue to be exploited as zero-day vulnerabilities, or shortly after vendor disclosure.
Organisations are strongly encouraged to follow NCSC-UK's vulnerability management guidance, including patching edge devices as soon as possible if a critical vulnerability is identified.
Vulnerability details
- CVE-2026-20127 is an "improper authentication" vulnerability with a CVSSv3 score of 10. Successful exploitation could allow an unauthenticated, remote attacker to bypass authentication and gain access to a highly privileged, non-root user account. Using this account, the attacker could access NETCONF, allowing the attacker to manipulate the network configuration for the SD-WAN fabric.
Cisco has released another security advisory to address the following vulnerabilities in Catalyst SD-WAN:
- a critical severity authentication bypass vulnerability (CVE-2026-20129)
- a high severity privilege escalation vulnerability (CVE-2026-20126)
- a high severity information disclosure vulnerability (CVE-2026-20133)
- a high severity arbitrary file overwrite vulnerability (CVE-2026-20122) - Exploited
- a medium severity information disclosure vulnerability (CVE-2026-20128) - Exploited
Three of the above vulnerabilities are not currently exploited. However, all of the vulnerabilities listed above can be remediated in the patches for CVE-2026-20127.
Threat updates
| Date | Update |
|---|---|
| 9 Mar 2026 |
Active Exploitation of CVE-2026-20122 and CVE-20128 in the Wild
The following items have been updated to reflect this change:
|
Remediation advice
Affected organisations must review Cisco security advisory cisco-sa-sdwan-rpa-EHchtZk and complete the remediation steps detailed below.
Remediation steps
| Type | Step |
|---|---|
| Action |
Optional: Perform a Comprehensive Compromise Assessment The Australian Signals Directorate, in partnership with NCSC-UK and other Five Eyes intelligence partners, has published a comprehensive threat hunting guide to detect evidence of compromise. Organisations are strongly encouraged to review this document and perform a compromise assessment. Note: Organisations are strongly encouraged to complete this step first; or collect all relevant artifacts, including a snapshot of the device and all logs, to support threat hunting after patching. Patching before conducting the compromise assessment or collecting relevant artifacts may delete critical evidence. If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected]. https://www.cyber.gov.au/sites/default/files/2026-02/ACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf |
| Patch |
Required: Update to a Fixed Version Organisations must update Catalyst SD-WAN Controller and Catalyst SD-WAN Manager to a fixed version. Applying the patch for CVE-2026-20127 also remediates the other vulnerabilities disclosed by Cisco and mentioned in this Cyber Alert. Organisations are strongly encouraged to use the Cisco Software Checker tool to determine the latest available version for their deployment.
Note: Catalyst SD-WAN releases earlier than 20.9 are end-of-life. Organisations running an end-of-life version must migrate to a supported version and apply the patch to address CVE-2026-20127. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk |
| Guidance |
Optional: Hardening Guidance for Cisco Catalyst SD-WAN Organisations are strongly encouraged to follow Cisco's hardening guidance for Catalyst SD-WAN. https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide |
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 9 March 2026 11:25 am