CVE-2026-20127

Published Feb 25, 2026

Last updated 11 days ago

Exploit knownCVSS critical 10.0
Bgp

Overview

Description
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric. 
Source
psirt@cisco.com
NVD status
Analyzed
Products
catalyst_sd-wan_manager, sd-wan_vsmart_controller

Risk scores

CVSS 3.1

Type
Primary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability
Exploit added on
Feb 25, 2026
Exploit action due
Feb 27, 2026
Required action
Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Weaknesses

psirt@cisco.com
CWE-287
nvd@nist.gov
CWE-287

Social media

Hype score
Not currently trending

  1. 3 Cisco SD-WAN CVEs actively exploited in 8 days. Here's the scorecard: CVE-2026-20127 — CVSS 10.0 — Auth bypass zero-day — Exploited since 2023 CVE-2026-20128 — CVSS 5.5 — DCA credential leak — Exploited (confirmed March 5) CVE-2026-20122 — CVSS 7.1 — File overw

    @Felix1325456

    5 Mar 2026

    101 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Top 5 Trending CVEs: 1 - CVE-2026-25253 2 - CVE-2026-20127 3 - CVE-2025-59536 4 - CVE-2026-27509 5 - CVE-2026-27739 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    27 Feb 2026

    246 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. #AppSec #Threat_Research 1⃣ Abusing Cortex XDR Live https://t.co/iDFLbQUjDQ 2⃣ Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability (CVE-2026-20127) https://t.co/BCwOGH8XHu 3⃣ OpenSSL Vulnerability (CVE-2025-15467) https://t.co/0CF1aieVHL

    @ksg93rd

    26 Feb 2026

    425 Impressions

    3 Retweets

    9 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. A vulnerability in the Data Collection Agent (DCA) feature of Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker to gain DCA user privileges on an affected system. To exploit this vulnerability, the attacker must have valid vmanage credentials on the affected system. This vulnerability is due to the presence of a credential file for the DCA user on an affected system. An attacker could exploit this vulnerability by accessing the filesystem as a low-privileged user and reading the file that contains the DCA password from that affected system. A successful exploit could allow the attacker to access another affected system and gain DCA user privileges. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability.CVE-2026-20128
  2. A vulnerability in the API user authentication of Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to gain access to an affected system as a user who has the netadmin role. The vulnerability is due to improper authentication for requests that are sent to the API. An attacker could exploit this vulnerability by sending a crafted request to the API of an affected system. A successful exploit could allow the attacker to execute commands with the privileges of the netadmin role. Note: Cisco Catalyst SD-WAN Manager releases 20.18 and later are not affected by this vulnerability. CVE-2026-20129
  3. A vulnerability in Cisco Catalyst SD-WAN Manager could allow an unauthenticated, remote attacker to view sensitive information on an affected system. This vulnerability is due to insufficient file system access restrictions. An attacker could exploit this vulnerability by accessing the API of an affected system. A successful exploit could allow the attacker to read sensitive information on the underlying operating system.CVE-2026-20133
  4. A vulnerability in Cisco Catalyst SD-WAN Manager could allow an authenticated, local attacker with low privileges to gain root privileges on the underlying operating system. This vulnerability is due to an insufficient user authentication mechanism in the REST API. An attacker could exploit this vulnerability by sending a request to the REST API of the affected system. A successful exploit could allow the attacker to gain root privileges on the underlying operating system.CVE-2026-20126
  5. A vulnerability in the API of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to overwrite arbitrary files on the local file system. To exploit this vulnerability, the attacker must have valid read-only credentials with API access on the affected system. This vulnerability is due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.CVE-2026-20122

References

Sources include official advisories and independent security research.