CVE-2026-20127

Published Feb 25, 2026

Last updated 2 months ago

Exploit knownCVSS critical 10.0
Tunneling protocol
Zero-day
API
Network
Bgp
Firmware

Overview

Description
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. 
Source
psirt@cisco.com
NVD status
Analyzed
Products
catalyst_sd-wan_manager, sd-wan_vsmart_controller

Risk scores

CVSS 3.1

Type
Primary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability
Exploit added on
Feb 25, 2026
Exploit action due
Feb 27, 2026
Required action
Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Weaknesses

psirt@cisco.com
CWE-287
nvd@nist.gov
CWE-287

Social media

Hype score
Not currently trending

  1. CISA just revealed a critical Cisco SD-WAN flaw (CVE-2026-20127) was actively exploited since 2023, granting attackers admin access for years. Patching isn't enough; deep compromise requires a full rebuild. https://t.co/GwvqZUwQCb #cybersecurity #cisa #cisco https://t.co/aC3MF1

    @thepixelspulse

    21 Apr 2026

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 BREAKING: CISA orders federal agencies to patch actively exploited Cisco SD-WAN flaws granting attackers admin access to government networks. CVE-2026-20127 has been exploited since 2023. #BreakingNews #Cybersecurity #USA #CiscoSDWAN https://t.co/FJ4qFG0Mpt

    @Archange_Shadow

    21 Apr 2026

    58 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. MAR 2026-A critical vulnerability impacting Cisco Catalyst SD-WAN systems has been identified across the DIB. CVE-2026-20127 is an authentication bypass exploited by nation-state actors since 2023. Per CISA ED 26-03 & NSA advisory, patch & hunt now. #KnowledgeByte #DIB ht

    @DC3VDP

    13 Apr 2026

    121 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. [TECH] **Five Eyes Issue Emergency Directive Over Cisco SD-WAN Zero-Day Exploited Since 2023** CISA and its Five Eyes partners — the UK, Australia, Canada, and New Zealand — issued a coordinated emergency directive Tuesday over CVE-2026-20127, a CVSS 10.0 authentication byp

    @DarkForgeNews

    1 Apr 2026

    69 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access https://t.co/cAGkijADhk #Cisco #SDWAN #CyberSecurity #ZeroDay #CVE2026 https://t.co/YYeB7irMXU

    @blueteamsec1

    27 Mar 2026

    574 Impressions

    2 Retweets

    5 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨 CVE-2026-20127 (CVSS 10.0): Cisco Catalyst SD-WAN auth bypass → root access, exploited since 2023 (UAT-8616). CISA ED 26-03! https://t.co/hf7QcrCLrM

    @TheRabbitPy

    23 Mar 2026

    53 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Three major Cisco management platform vulnerabilities in 2026. All in web interfaces. All CVSS 9+. CVE-2026-20131 (FMC) — CVSS 10, RCE as root CVE-2026-20127 (SD-WAN vManage) — RCE CVE-2023-20198 (IOS-XE web UI) — privilege escalation The pattern is undeniable: web-based

    @FirstPassLab

    21 Mar 2026

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CISA warns that patched flaws in Ivanti EPM and Cisco SD-WAN are being actively exploited. Ivanti (CVE-2026-1603): Credential leaks. Cisco (CVE-2026-20127): Auth bypass (exploited since 2023) If you run these, check your patch levels and logs immediately. https://t.co/XFLnC17pPG

    @GetTCT

    16 Mar 2026

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Top 5 Trending CVEs: 1 - CVE-2026-20127 2 - CVE-2023-43010 3 - CVE-2026-21385 4 - CVE-2025-68613 5 - CVE-2026-25185 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    13 Mar 2026

    243 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  10. ‼️ CVE-2026-20127: Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access. PoC: https://t.co/fbEaySQRfP "This repository contains a working proof-of-concept exploit for CVE-2026-20127, a critical pre-authentication vulnerability in Cisco Catalyst SD-WAN

    @DarkWebInformer

    9 Mar 2026

    6077 Impressions

    9 Retweets

    37 Likes

    19 Bookmarks

    1 Reply

    0 Quotes

  11. PoC is now public for CVE-2026-20127 in Cisco Catalyst SD-WAN. UAT-8616 has been exploiting it since 2023, now anyone can try. Two more SD-WAN flaws also active: CVE-2026-20122 and CVE-2026-20128. Patch window is effectively closed. https://t.co/gZOpZQntR2

    @CybrPulse

    7 Mar 2026

    80 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 3 Cisco SD-WAN CVEs actively exploited in 8 days. Here's the scorecard: CVE-2026-20127 — CVSS 10.0 — Auth bypass zero-day — Exploited since 2023 CVE-2026-20128 — CVSS 5.5 — DCA credential leak — Exploited (confirmed March 5) CVE-2026-20122 — CVSS 7.1 — File overw

    @FirstPassLab

    5 Mar 2026

    101 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Top 5 Trending CVEs: 1 - CVE-2026-25253 2 - CVE-2026-20127 3 - CVE-2025-59536 4 - CVE-2026-27509 5 - CVE-2026-27739 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    27 Feb 2026

    246 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. #AppSec #Threat_Research 1⃣ Abusing Cortex XDR Live https://t.co/iDFLbQUjDQ 2⃣ Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability (CVE-2026-20127) https://t.co/BCwOGH8XHu 3⃣ OpenSSL Vulnerability (CVE-2025-15467) https://t.co/0CF1aieVHL

    @ksg93rd

    26 Feb 2026

    425 Impressions

    3 Retweets

    9 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.CVE-2026-33824
  2. Adobe Acrobat and Reader Prototype Pollution VulnerabilityCVE-2026-34621
  3. The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface.CVE-2025-14858
  4. Fortinet FortiClient EMS Improper Access Control VulnerabilityCVE-2026-35616
  5. A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.CVE-2026-25197

References

Sources include official advisories and independent security research.