Back to threat alerts

CVE-2026-20127: Critical Cisco Catalyst SD-WAN Zero Day Vulnerability

CVE-2026-20127 is a critical authentication bypass vulnerability (CVSS Base Score: 10.0) affecting the Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). The vulnerability has been exploited in the wild as a zero-day since at least 2023 by a highly sophisticated threat actor tracked by Cisco Talos as UAT-8616. This flaw allows an unauthenticated, remote attacker to bypass authentication mechanisms and obtain high-level administrative privileges on affected systems.

Threat alert
February 26, 2026
Description:

The vulnerability stems from an improper peering authentication mechanism within the affected Cisco Catalyst SD-WAN systems. By sending specially crafted requests, an attacker can create a rogue peer joined to the network management plane. A successful exploit grants the attacker internal, high-privileged, non-root user account access (e.g., the vmanage-admin account). Using this access, the attacker can leverage NETCONF to manipulate network configurations for the entire SD-WAN fabric.

Post-compromise investigations reveal that UAT-8616 leverages this initial access to execute a complex attack chain. The threat actor uses the built-in update mechanism to downgrade the device's software version. Once downgraded, the attacker exploits an older path traversal vulnerability (CVE-2022-20775) to escalate their privileges to root. After gaining root access, the attacker restores the firmware to its original version to evade detection. The actor then establishes persistent footholds by adding unauthorised SSH keys, moving laterally between SD-WAN appliances using NETCONF and SSH, and clearing or truncating system logs (such as those in /var/log) to conceal their intrusion.

Vulnerable Versions:

The vulnerability impacts the following deployment types of Cisco Catalyst SD-WAN Controller and Manager, regardless of the device configuration:

  • On-Premises Deployments
  • Cisco Hosted SD-WAN Cloud
  • Cisco Hosted SD-WAN Cloud - Cisco Managed
  • Cisco Hosted SD-WAN Cloud - FedRAMP Environment

The flaw affects the following Cisco Catalyst SD-WAN versions:

  • Prior to version 20.9 (Administrators must migrate to a fixed release)
  • Versions 20.9 to 20.9.8.2
  • Versions 20.11.1 to 20.12.6.1
  • Versions 20.12.5 to 20.12.5.3
  • Versions 20.12.6 to 20.12.6.1
  • Versions 20.13.1 to 20.15.4.2
  • Versions 20.14.1 to 20.15.4.2
  • Versions 20.15 to 20.15.4.2
  • Versions 20.16.1 to 20.18.2.1
  • Versions 20.18 to 20.18.2.1
Mitigations:

There are currently no functional workarounds that mitigate this vulnerability, applying the vendor-provided software updates is the only complete remediation.

Recommendations:
  • Apply Security Updates: Urgently update all in-scope Cisco SD-WAN controllers and managers to the latest fixed software releases provided by Cisco.
  • Isolate Management Interfaces: Restrict network exposure by placing SD-WAN control components behind firewalls. Ensure that management ports and interfaces are isolated and strictly inaccessible from the internet.
  • Externalise Logs: Ensure that SD-WAN systems are configured to store logs externally in a centralised location. This preserves forensic evidence and prevents threat actors from tampering with logs to hide their tracks.
  • Proactive Threat Hunting: Audit /var/log/auth.log for anomalous entries, such as "Accepted publickey for vmanage-admin" originating from unrecognised IP addresses. Investigate any unexpected peering events, unrecognised device types joining the environment, or unexplained software version downgrades followed by reboots.