Published on February 25, 2026
Critical Cisco SD-WAN Bug Exploited in Zero-Day Attacks Since 2023
Severity
Critical
Cisco has released a critical security advisory detailing an actively exploited authentication bypass vulnerability in Cisco Catalyst SD-WAN products, tracked as CVE‑2026‑20127. This flaw has been exploited in targeted attacks and poses a severe risk to SD-WAN deployments.
| CVE ID | Vulnerability Type | Impact | CVSS Score |
| CVE‑2026‑20127 | Improper Authentication (CWE-287) | The flaw exists because the peering authentication mechanism does not correctly validate crafted requests, allowing a remote, unauthenticated attacker to bypass authentication completely. | 10.0 Critical |
If successfully exploited, an attacker could:
- Bypass authentication and log into a Cisco Catalyst SD-WAN Controller with high privileges (non-root).
- Access NETCONF, enabling manipulation of SD-WAN fabric configuration.
- Add rogue peers to the SD-WAN network, effectively implanting malicious devices that appear legitimate.
- Expand access and persistence within the network.
Reports from third-party threat intelligence and government partners indicate that malicious actors have been able to add rogue peers and perform additional compromise actions, including persistence and extended access.
Cisco PSIRT confirms limited exploitation of CVE-2026-20127 in the wild. While Cisco has not publicly attributed specific threat actors, independent reporting and allied national cybersecurity agencies note active exploitation and follow-on malicious actions post-compromise.
Affected Products
Affected Components:
- Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart)
- Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage)
Deployment Types Affected:
- On-Premise SD-WAN
- Cisco Hosted SD-WAN Cloud (including Managed and FedRAMP environments)
Recommendation
Administrators must review authentication logs on controllers for anomalous access attempts:
/var/log/auth.log
Example:
2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from <unknown IP> port <REDACTED> ssh2: RSA SHA256:<REDACTED>
Compare source IPs against known System IPs listed under WebUI > Devices > System IP in the SD-WAN Manager. Unknown IPs that successfully authenticate should be treated as potential compromise.
Review SD-WAN peering logs for:
- Unexpected peer connections
- Peering events outside normal maintenance windows
- Peering originating from unrecognized IP addresses
Attackers often establish unauthorized peer relationships as part of compromise and persistence.
Cisco strongly recommends upgrading to fixed software releases specifically listed in the advisory. Workarounds do not completely mitigate the risk.
| Cisco Catalyst SD-WAN Release | First Fixed Release |
| Earlier than 20.9 | Migrate to a fixed release. |
| 20.9 | 20.9.8.2 (Estimated release February 27, 2026) |
| 20.11 | 20.12.6.1 |
| 20.12.5 20.12.6 | 20.12.5.3 20.12.6.1 |
| 20.13 | 20.15.4.2 |
| 20.14 | 20.15.4.2 |
| 20.15 | 20.15.4.2 |
| 20.16 | 20.18.2.1 |
| 20.18 | 20.18.2.1 |
Temporary Mitigation Guidance
While planning upgrades, customers may tighten network controls:
- Restrict traffic to ports 22 (SSH) and 830 (NETCONF) only from known controller IPs using firewall rules or ACLs.
- Cisco Hosted SD-WAN Cloud deployments have provider-controlled guardrails in place.
Note: These measures are not complete workarounds and may impact functionality if misconfigured.
Source